Instead of a local user, you can add an external authentication server (AD, LDAP, RADIUS, or RSA) which is bound to the SSL gateway. All users with accounts on the bound authentication server will be authenticated.

The maximum time to authenticate over SSL VPN is 3 minutes. This maximum is set because the non-authentication timeout is 3 minutes; the non-authentication timeout value is not configurable.

Note

Users will not be authenticated when either of the following conditions occur:

The AD authentication timeout is set to more than 3 minutes.

The environment has multiple authentication servers in chain authorization and user authentication takes more than 3 minutes.

1

Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See Log In and Navigate to Advanced Networking Services for information.

2

Click the SSL VPN-Plus tab and Authentication.

3

Click the Add (add icon) icon.

The Add Authentication Server dialog box appears.

4

Select the type of authentication server—AD, LDAP, RADIUS, RSA-ACE, or LOCAL.

5

Depending on the type of authentication server you selected, complete the following fields.

AD and LDAP authentication servers

AD and LDAP Authentication Server Options

Option

Description

Enable SSL

Establishes an encrypted link between a Web server and a browser.

IP Address

The IP address of the authentication server.

Port

Displays the default port name. Edit if required.

Timeout

The time in seconds within which the AD server must respond.

Status

Enables or disables the server.

Search base

Part of the external directory tree to search. The search base can be equivalent to the organization, group, or domain name (AD) of the external directory.

Bind DN

Permits users on the external AD server to search the AD within the defined search base. Typically, the bind DN option permits users to search the entire directory. The bind DN option allows users to query the directory using the query filter and search base for the DN (distinguished name) of authenticating AD users. When the DN is returned, the DN and password are used to authenticate the AD user.

Bind Password

The password to authenticate the AD user.

Retype Bind Password

Verifies the password to authenticate the AD user.

Login Attribute Name

The name against which the user ID entered by the remote user is matched. For Active Directory, the login attribute name is sAMAccountName.

Search Filter

Filters the values used to limit the search. The search filter format is attribute operator value.

Use this server for secondary authentication

Whether to use the server as the second level of authentication.

Terminate Session if authentication fails

Ends the session when authentication fails.

RADIUS authentication server

RADIUS authentication server options

Option

Description

IP Address

The IP address of the external server.

Port

Displays the default port name. Edit if required.

Timeout

The time in seconds within which the AD server must respond.

Status

Enables or disables the server.

Secret

Specifies the shared secret when adding an authentication agent in the RSA security console.

Retype secret

Verifies the password to authenticate the AD user.

NAS IP Address

Configures the IP address used as the RADIUS attribute 4 without changing the source IP address in the IP header of the RADIUS packets.

Retry Count

The number of times to contact the RADIUS server when it does not respond before the authentication fails.

Use this server for secondary authentication

Whether to use the server as the second level of authentication.

Terminate Session if authentication fails

Ends the session when authentication fails.

RSA-ACE authentication server

RSA-ACE authentication server options

Option

Description

Timeout

The time in seconds within which the AD server must respond.

Configuration File

Click Browse to select the sdconf.rec file that you downloaded from the RSA Authentication Manager.

Status

Enables or disables the server.

Source IP Address

The IP address of the edge gateway interface through which the RSA server is accessible.

Use this server for secondary authentication

Whether to use the server as the second level of authentication.

Terminate Session if authentication fails

Ends the session when authentication fails.

Note

Adding a user for SSL VPN-Plus automatically adds a local authentication server in the SSL VPN-Plus > Authentication page and configures the default values. If necessary, select Enable password policy and Enable account lockout policy to view and edit the default values. See Add an SSL VPN-Plus User for information.

Local authentication server

Local authentication server options

Option

Description

Enable password policy

Defines a password policy. Specify the required values.

You must set a minimum length, the time until expiration, and when users are notified of expiration. All other fields are optional.

Enable account lockout policy

(Optional) Defines an account lockout policy. Specify the required values.

a

In Retry Count, type the number of times a remote user can try to access his or her account after entering an incorrect password.

b

In Retry Duration, type the time period in which the remote user's account gets locked on unsuccessful login attempts.

For example, if you specify the Retry Count as 5 and Retry Duration as 1 minute, the remote user's account will be locked if he makes 5 unsuccessful login attempts within 1 minute.

c

In Lockout Duration, type the time period for which the user account remains locked. After this time, the account is automatically unlocked.

Status

Enables or disables the server.

Use this server for secondary authentication

(Optional) Whether to use the server as the second level of authentication.

Terminate Session if authentication fails

(Optional) Ends the session when authentication fails.

6

Click OK.

Create an installation package containing the SSL Client so remote users can install it on their local systems. See Add an Installation Package

If necessary, add local users who are not members of external authentication servers so that they can connect with SSL VPN-Plus. See Add an SSL VPN-Plus User.