Instead of a local user, you can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway. All users with accounts on the bound authentication server will be authenticated.

About this task

The maximum time to authenticate over SSL VPN is 3 minutes. This is because non-authentication timeout is 3 minutes and is not a configurable property. So in scenarios where AD authentication timeout is set to more than 3 minutes or there are multiple authentication servers in chain authorization and the time taken for user authentication is more than 3 minutes, you will not be authenticated.

Procedure

  1. In the SSL VPN-Plus tab, select Authentication from the left panel.
  2. Click the Add (Add icon) icon.
  3. Select the type of authentication server.
  4. Depending on the type of authentication server you selected, complete the following fields.
    • AD authentication server

      Table 1. AD Authentication Server Options

      Option

      Description

      Enable SSL

      Enabling SSL establishes an encrypted link between a web server and a browser.

      Note:

      There might be issues if you do not enable SSL and try to change password using SSL VPN-Plus tab or from client machine later.

      IP Address

      IP address of the authentication server.

      Port

      Displays default port name. Edit if required.

      Timeout

      Period in seconds within which the AD server must respond.

      Status

      Select Enabled or Disabled to indicate whether the server is enabled.

      Search base

      Part of the external directory tree to search. The search base may be something equivalent to the organizational unit (OU), domain controller (DC), or domain name (AD) of external directory.

      Examples:

      • OU=Users,DC=aslan,DC=local

      • OU=VPN,DC=aslan,DC=local

      Bind DN

      User on the external AD server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.

      Example: CN=ldap.edge,OU=users,OU=Datacenter Users,DC=aslan,DC=local

      Bind Password

      Password to authenticate the AD user.

      Retype Bind Password

      Retype the password.

      Login Attribute Name

      Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.

      Search Filter

      Filter values by which the search is to be limited. The search filter format is attribute operator value.

      If you need to limit the search base to a specific group in the AD and not allow searching across the entire OU, then

      • Do not put group name inside the search base, only put OU and DC.

      • Do not put both objectClass and memberOf inside the same search filter string. Example of correct format for the search filter: memberOf=CN=VPN_Users,OU=Users,DC=aslan,DC=local

      Use this server for secondary authentication

      If selected, this AD server is used as the second level of authentication.

      Terminate Session if authentication fails

      When selected, the session is ended if authentication fails.

    • LDAP authentication server

      Table 2. LDAP Authentication Server Options

      Option

      Description

      Enable SSL

      Enabling SSL establishes an encrypted link between a web server and a browser.

      IP Address

      IP address of the external server.

      Port

      Displays default port name. Edit if required.

      Timeout

      Period in seconds within which the AD server must respond.

      Status

      Select Enabled or Disabled to indicate whether the server is enabled.

      Search base

      Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.

      Bind DN

      User on the external server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.

      Bind Password

      Password to authenticate the AD user.

      Retype Bind Password

      Retype the password.

      Login Attribute Name

      Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.

      Search Filter

      Filter values by which the search is to be limited. The search filter format is attribute operator value.

      Use this server for secondary authentication

      If selected, this server is used as the second level of authentication.

      Terminate Session if authentication fails

      When selected, the session is ended if authentication fails.

    • RADIUS authentication server

      RADIUS authentication is disabled in FIPS mode.

      Table 3. RADIUS authentication server options

      Option

      Description

      IP Address

      IP address of the external server.

      Port

      Displays default port name. Edit if required.

      Timeout

      Period in seconds within which the AD server must respond.

      Status

      Select Enabled or Disabled to indicate whether the server is enabled.

      Secret

      Shared secret specified while adding the authentication agent in the RSA security console.

      Retype secret

      Retype the shared secret.

      NAS IP Address

      IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets.

      Retry Count

      Number of times the RADIUS server is to be contacted if it does not respond before the authentication fails.

      Use this server for secondary authentication

      If selected, this server is used as the second level of authentication.

      Terminate Session if authentication fails

      When selected, the session is ended if authentication fails.

    • RSA-ACE authentication server

      RSA authentication is disabled in FIPS mode.

      Table 4. RSA-ACE authentication server options

      Option

      Description

      Timeout

      Period in seconds within which the AD server must respond.

      Configuration File

      Click Browse to select the sdconf.rec file that you downloaded from the RSA Authentication Manager.

      Status

      Select Enabled or Disabled to indicate whether the server is enabled.

      Source IP Address

      IP address of the NSX Edge interface through which the RSA server is accessible.

      Use this server for secondary authentication

      If selected, this server is used as the second level of authentication.

      Terminate Session if authentication fails

      When selected, the session is ended if authentication fails.

    • Local authentication server

      Table 5. Local authentication server options

      Option

      Description

      Enable password policy

      If selected, defines a password policy. Specify the required values.

      Enable password policy

      If selected, defines an account lockout policy. Specify the required values.

      1. In Retry Count, type the number of times a remote user can try to access his or her account after entering an incorrect password.

      2. In Retry Duration, type the time period in which the remote user's account gets locked on unsuccessful login attempts.

        For example, if you specify Retry Count as 5 and Retry Duration as 1 minute, the remote user's account will be locked if he makes 5 unsuccessful login attempts within 1 minute.

      3. In Lockout Duration, type the time period for which the user account remains locked. After this time, the account is automatically unlocked.

      Status

      Select Enabled or Disabled to indicate whether the server is enabled.

      Use this server for secondary authentication

      If selected, this server is used as the second level of authentication.

      Terminate Session if authentication fails

      When selected, the session is ended if authentication fails.