Instead of a local user, you can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway. All users with accounts on the bound authentication server will be authenticated. The maximum time to authenticate over SSL VPN is 3 minutes. This is because non-authentication timeout is 3 minutes and is not a configurable property. So in scenarios where AD authentication timeout is set to more than 3 minutes or there are multiple authentication servers in chain authorization and the time taken for user authentication is more than 3 minutes, you will not be authenticated.
Procedure
1 In the SSL Vpn-Plus tab, select Authentication from the left panel. 2 Click the Add ( ) icon.
3 Select the type of authentication server.
4 Depending on the type of authentication server you selected, complete the following fields.
u AD authentication server
Table 8‑1. AD Authentication Server Options
Option Description
Enable SSL Enabling SSL establishes an encrypted link between a web server and a browser.
IP Address IP address of the authentication server.
Port Displays default port name. Edit if required.
Timeout Period in seconds within which the AD server must respond.
Status Select Enabled or Disabled to indicate whether the server is enabled.
Search base Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.
Bind DN User on the external AD server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.
Bind Password Password to authenticate the AD user.
Retype Bind
Password Retype the password. Login
Attribute Name
Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.
Search Filter Filter values by which the search is to be limited. The search filter format is attribute operator
Table 8‑1. AD Authentication Server Options (Continued)
Option Description
Use this server for secondary authentication
If selected, this AD server is used as the second level of authentication.
Terminate Session if authenticati on fails
When selected, the session is ended if authentication fails.
u LDAP authentication server
Table 8‑2. LDAP Authentication Server Options
Option Description
Enable SSL Enabling SSL establishes an encrypted link between a web server and a browser.
IP Address IP address of the external server.
Port Displays default port name. Edit if required.
Timeout Period in seconds within which the AD server must respond.
Status Select Enabled or Disabled to indicate whether the server is enabled.
Search base Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.
Bind DN User on the external server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.
Bind Password Password to authenticate the AD user.
Retype Bind
Password Retype the password. Login Attribute
Name Name against which the user ID entered by the remote user is matched with. ForActive Directory, the login attribute name is sAMAccountName.
Search Filter Filter values by which the search is to be limited. The search filter format is attribute
operator value. Use this server for
secondary authentication
If selected, this server is used as the second level of authentication.
Terminate Session if authentication fails
When selected, the session is ended if authentication fails.
u RADIUS authentication server
Table 8‑3. RADIUS authentication server options
Option Description
IP Address IP address of the external server.
Port Displays default port name. Edit if required.
Timeout Period in seconds within which the AD server must respond.
Status Select Enabled or Disabled to indicate whether the server is enabled.
Secret Shared secret specified while adding the authentication agent in the RSA security console.
Retype secret Retype the shared secret.
Table 8‑3. RADIUS authentication server options (Continued)
Option Description
NAS IP Address IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without
changing the source IP address in the IP header of the RADIUS packets.
Retry Count Number of times the RADIUS server is to be contacted if it does not respond before the authentication fails.
Use this server for secondary authentication
If selected, this server is used as the second level of authentication.
Terminate Session if authenticatio n fails
When selected, the session is ended if authentication fails.
u RSA-ACE authentication server
Table 8‑4. RSA-ACE authentication server options
Option Description
Timeout Period in seconds within which the AD server must respond.
Configuration
File Click Browse to select the Authentication Manager. sdconf.rec file that you downloaded from the RSA
Status Select Enabled or Disabled to indicate whether the server is enabled.
Source IP
Address IP address of the NSX Edge interface through which the RSA server is accessible. Use this server
for secondary authentication
If selected, this server is used as the second level of authentication.
Terminate Session if authenticatio n fails
When selected, the session is ended if authentication fails.
u Local authentication server
Table 8‑5. Local authentication server options
Option Description
Enable
password policy If selected, defines a password policy. Specify the required values. Enable
password policy If selected, defines an account lockout policy. Specify the required values.1 In Retry Count, type the number of times a remote user can try to access his or her
account after entering an incorrect password.
2 In Retry Duration, type the time period in which the remote user's account gets locked on unsuccessful login attempts.
For example, if you specify Retry Count as 5 and Retry Duration as 1 minute, the remote user's account will be locked if he makes 5 unsuccessful login attempts within 1 minute.
3 In Lockout Duration, type the time period for which the user account remains locked. After this time, the account is automatically unlocked.
Table 8‑5. Local authentication server options (Continued)
Option Description
Use this server for secondary authentication
If selected, this server is used as the second level of authentication.
Terminate Session if authenticatio n fails
When selected, the session is ended if authentication fails.