Instead of a local user, you can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway. All users with accounts on the bound authentication server will be authenticated.

The maximum time to authenticate over SSL VPN is 3 minutes. This is because non-authentication timeout is 3 minutes and is not a configurable property. So in scenarios where AD authentication timeout is set to more than 3 minutes or there are multiple authentication servers in chain authorization and the time taken for user authentication is more than 3 minutes, you will not be authenticated.

1

In the SSL Vpn-Plus tab, select Authentication from the left panel.

2

Click the Add (Add icon) icon.

3

Select the type of authentication server.

4

Depending on the type of authentication server you selected, complete the following fields.

AD authentication server

AD Authentication Server Options

Option

Description

Enable SSL

Enabling SSL establishes an encrypted link between a web server and a browser.

IP Address

IP address of the authentication server.

Port

Displays default port name. Edit if required.

Timeout

Period in seconds within which the AD server must respond.

Status

Select Enabled or Disabled to indicate whether the server is enabled.

Search base

Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.

Bind DN

User on the external AD server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.

Bind Password

Password to authenticate the AD user.

Retype Bind Password

Retype the password.

Login Attribute Name

Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.

Search Filter

Filter values by which the search is to be limited. The search filter format is attribute operator value.

Use this server for secondary authentication

If selected, this AD server is used as the second level of authentication.

Terminate Session if authentication fails

When selected, the session is ended if authentication fails.

LDAP authentication server

LDAP Authentication Server Options

Option

Description

Enable SSL

Enabling SSL establishes an encrypted link between a web server and a browser.

IP Address

IP address of the external server.

Port

Displays default port name. Edit if required.

Timeout

Period in seconds within which the AD server must respond.

Status

Select Enabled or Disabled to indicate whether the server is enabled.

Search base

Part of the external directory tree to search. The search base may be something equivalent to the organization, group, or domain name (AD) of external directory.

Bind DN

User on the external server permitted to search the AD directory within the defined search base. Most of the time, the bind DN is permitted to search the entire directory. The role of the bind DN is to query the directory using the query filter and search base for the DN (distinguished name) for authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.

Bind Password

Password to authenticate the AD user.

Retype Bind Password

Retype the password.

Login Attribute Name

Name against which the user ID entered by the remote user is matched with. For Active Directory, the login attribute name is sAMAccountName.

Search Filter

Filter values by which the search is to be limited. The search filter format is attribute operator value.

Use this server for secondary authentication

If selected, this server is used as the second level of authentication.

Terminate Session if authentication fails

When selected, the session is ended if authentication fails.

RADIUS authentication server

RADIUS authentication server options

Option

Description

IP Address

IP address of the external server.

Port

Displays default port name. Edit if required.

Timeout

Period in seconds within which the AD server must respond.

Status

Select Enabled or Disabled to indicate whether the server is enabled.

Secret

Shared secret specified while adding the authentication agent in the RSA security console.

Retype secret

Retype the shared secret.

NAS IP Address

IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets.

Retry Count

Number of times the RADIUS server is to be contacted if it does not respond before the authentication fails.

Use this server for secondary authentication

If selected, this server is used as the second level of authentication.

Terminate Session if authentication fails

When selected, the session is ended if authentication fails.

RSA-ACE authentication server

RSA-ACE authentication server options

Option

Description

Timeout

Period in seconds within which the AD server must respond.

Configuration File

Click Browse to select the sdconf.rec file that you downloaded from the RSA Authentication Manager.

Status

Select Enabled or Disabled to indicate whether the server is enabled.

Source IP Address

IP address of the NSX Edge interface through which the RSA server is accessible.

Use this server for secondary authentication

If selected, this server is used as the second level of authentication.

Terminate Session if authentication fails

When selected, the session is ended if authentication fails.

Local authentication server

Local authentication server options

Option

Description

Enable password policy

If selected, defines a password policy. Specify the required values.

Enable password policy

If selected, defines an account lockout policy. Specify the required values.

a

In Retry Count, type the number of times a remote user can try to access his or her account after entering an incorrect password.

b

In Retry Duration, type the time period in which the remote user's account gets locked on unsuccessful login attempts.

For example, if you specify Retry Count as 5 and Retry Duration as 1 minute, the remote user's account will be locked if he makes 5 unsuccessful login attempts within 1 minute.

c

In Lockout Duration, type the time period for which the user account remains locked. After this time, the account is automatically unlocked.

Status

Select Enabled or Disabled to indicate whether the server is enabled.

Use this server for secondary authentication

If selected, this server is used as the second level of authentication.

Terminate Session if authentication fails

When selected, the session is ended if authentication fails.