WatchGuard Technologies SSL VPN Benutzerhandbuch
Administration Guide
85
Configuring Double-Source Authentication
You can prevent the storage of one-time passwords in cache, which forces the user to enter their cre-
dentials again.
dentials again.
To prevent caching of one-time passwords
1
In the Administration Tool, click the Authentication tab.
2
Open the authentication realm that uses the one-time password.
3
Select Use the password one time and click Submit.
Configuring Double-Source Authentication
The Firebox SSL VPN Gateway supports double-source authentication. On the Authentication tab, you
can configure two types of authentication, such as LDAP and RSA SecurID for one realm. When users log
on to the Firebox SSL VPN Gateway using a Web browser, and double-source authentication is config-
ured, they are redirected automatically to a logon Web portal page. There, they type in their user name
and passwords for each type of authentication. If they are using the Secure Access Client to log on, the
Secure Access dialog box appears requesting the same information as the Web page.
There can be a mix of double-source authentication realms. For example, you can have one or more
realms for single authentication and then have one or more realms configured for double-source
authentication. In a mixed authentication environment, when users log on using either the Web
browser or Secure Access Client, they will see two password fields. If they are logging on using only one
authentication method, the second password field is left blank.
For more information about logging on using the Web-based portal page, see “Double-source Authen-
tication Portal Page” on page 43.
can configure two types of authentication, such as LDAP and RSA SecurID for one realm. When users log
on to the Firebox SSL VPN Gateway using a Web browser, and double-source authentication is config-
ured, they are redirected automatically to a logon Web portal page. There, they type in their user name
and passwords for each type of authentication. If they are using the Secure Access Client to log on, the
Secure Access dialog box appears requesting the same information as the Web page.
There can be a mix of double-source authentication realms. For example, you can have one or more
realms for single authentication and then have one or more realms configured for double-source
authentication. In a mixed authentication environment, when users log on using either the Web
browser or Secure Access Client, they will see two password fields. If they are logging on using only one
authentication method, the second password field is left blank.
For more information about logging on using the Web-based portal page, see “Double-source Authen-
tication Portal Page” on page 43.
To create and configure a double-source authentication realm
1
On the Authentication tab, click Authentication.
2
In Realm Name, type a name.
3
Select Two Source and then click Add.
4
In the Select Authentication Type dialog box, select the authentication types in Primary
Authentication Type and Secondary Authentication Type.
Authentication Type and Secondary Authentication Type.
5
Click Add.
6
On the Primary Authentication tab, configure the settings for the first authentication type and
click Submit.
click Submit.
7
On the Secondary Authentication tab, configure the settings for the second authentication type
and click Submit.
and click Submit.
8
On the Authorization tab, in Authorization Type, select the authorization type you want to use,
configure the settings, and click Submit.
configure the settings, and click Submit.
Double-source authentication works in reverse of how it is configured on the Firebox SSL VPN Gateway.
For example, if you configured RSA SecurID on the Secondary Authentication tab and LDAP on the
Primary Authentication tab, when users log on, they type their LDAP password in the first password
field and the RSA SecurID personal identification number (PIN) and passcode in the second password
field. When users click Connect, the Firebox SSL VPN Gateway authenticates using the RSA SecureID PIN
For example, if you configured RSA SecurID on the Secondary Authentication tab and LDAP on the
Primary Authentication tab, when users log on, they type their LDAP password in the first password
field and the RSA SecurID personal identification number (PIN) and passcode in the second password
field. When users click Connect, the Firebox SSL VPN Gateway authenticates using the RSA SecureID PIN