Configure Remote Access VPN Secondary Authentication

Step 1

On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.

Step 2

Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy.

Step 3

For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit.

Step 4

Click AAA > Authentication Method, AAA or Client Certificate & AAA.

• When you select the Authentication Method as:

  Client Certificate & AAA—Authentication is done using both client certificate and AAA server.

  • AAA—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must manually select the Authorization Server and Accounting Server respectively.

  • Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.

• Use secondary authentication — Secondary authentication is configured in addition to primary authentication to provide additional security for VPN sessions. Secondary authentication is applicable only to AAA only and Client Certificate & AAA authentication methods.

  Secondary authentication is an optional feature that requires a VPN user to enter two sets of username and password on the Secure Client login screen. You can also configure to pre-fill the secondary username from the authentication server or client certificate. Remote access VPN authentication is granted only if both primary and secondary authentications are successful. VPN authentication is denied if any one of the authentication servers is not reachable or one authentication fails.

  You must configure a secondary authentication server group (AAA server) for the second username and password before configuring secondary authentication. For example, you can set the primary authentication server to an LDAP or Active Directory realm and the secondary authentication to a RADIUS server.

  Note	By default, secondary authentication is not required.

  Authentication Server— Secondary authentication server to provide secondary username and password for VPN users.

  Select the following under Username for secondary authentication:

  • Prompt: Prompts the users to enter the username and password while logging on to VPN gateway.

  • Use primary authentication username: The username is taken from the primary authentication server for both primary and secondary authentication; you must enter two passwords.

  • Map username from client certificate: Prefills the secondary username from the client certificate.

    • If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN (Distinguished Name) as username option, the system automatically retrieves the user identity.

      See Authentication Method descriptions for more information about primary and secondary field mapping.

    • Prefill username from certificate on user login window: Prefills the secondary username from the client certificate when the user connects via Secure Client.

      • Hide username in login window: The secondary username is pre-filled from the client certificate, but hidden to the user so that the user does not modify the pre-filled username.

  • Use secondary username for VPN session: The secondary username is used for reporting user activity during a VPN session.