Barracuda CloudGen Firewall Integration

General Overview

This guide explains the configuration of multi-factor authentication (MFA) for Barracuda CloudGen Firewall utilizing Mirket as the identity provider. Prior configuration and deployment of Barracuda CloudGen Firewall are required before setting up MFA with Mirket.

Barracuda CloudGen firewall offers various MFA configuration modes. In this integration, we've configured RADIUS authentication with Mirket.

This integration was tested with version v7.1.3-061 of Barracuda CloudGen firewall Vx VF10.

Preparation Steps

Before proceeding with these procedures, ensure the following:

You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).
End-users can access the Barracuda CloudGen Firewall Vx VF10.

Configuring Barracuda CloudGen Firewall

RADIUS Server Configuration

For RADIUS authentication in Barracuda CloudGen Firewall, you need to configure a RADIUS server (the Mirket server IP address).

Follow these steps to configure a RADIUS server:

Access the Barracuda CloudGen firewall using Barracuda NextGen Admin credentials to proceed.

Go to Configuration > Configuration Tree > Box > Infrastructure Services > Authentication Service.

Select the RADIUS Authentication option from the left-hand menu. Then click on Lock.
Select the Advanced View option from under the Configuration Mode in the left-hand menu.
Within the Radius Authentication area, choose the "Yes" option from the Activate Scheme dropdown list.
Choose the "RADIUS" option from the Method dropdown list.
Click on the "+" icon to add a RADIUS server in the Basic field.

Input the IP address of the Mirket (RADIUS server) into the Radius Server Address field.
Input the port number for communication with the Mirket (Radius Server) in the Radius Server Port field. The default Gateway ports are 1812 and 1645.
Assign a shared secret key to identify your RADIUS client in the Radius Server Key field. Make sure to use the same shared secret key while configuring your RADIUS client resource in Mirket.

Click on OK. Keep the remaining settings as default values.
Click on Send Changes and then click on Activation Pending.

Establishing an SSL VPN Server

Go to Configuration > Configuration Tree > Box > Virtual Servers > S1 > Assigned Services.
Right-click on Assigned Services and select Create Service.
Choose the "Yes" option from the Enable Service dropdown list.
Enter a unique service name that contains more than six characters in the Service Name field. Note: The service name can't be modified later.
Choose the "VPN Service" option from the Software Module dropdown list.
Choose the "First + Second-IP" option from the Service Availability dropdown list.

Click on Next. Keep the settings at their default values on the Statistics and Access Notification configuration pages.
Click on Finish and then click on Activate.

Disabling Port 443 for Site-to-Site and Client-to-Site VPN Connections

Go to Configuration > Configuration Tree > Box > Virtual Servers > S1 > Assigned Services > VPN-Service > VPN Settings.
Click on Lock then click on the "Click here for Server Settings" option.
Choose the "No" option in the Port 443 VPN Listener field.

Click on OK to confirm settings.
Click on Send Changes and then click on Activate.

SSL VPN Server Settings Configuration

Go to Configuration > Configuration Tree > Box > Virtual Servers > S1 > Assigned Services > VPN-Service > SSL-VPN.
Click on Lock.
Choose the "Yes" option from the Enable SSL VPN dropdown list.
Click on the "+" icon next to the Listen IPs field. This represents the external IP address that the SSL VPN listens on, typically used for internet connectivity.
Check the Restrict to Strong Ciphers Only checkbox.
Choose the "Generated-Certificate" option from the Identification Type dropdown list.

Select the Login option from the left-hand menu.
Choose the "RADIUS" option from the Identity Scheme dropdown list.

Click on Send Changes and then click on Activate.
Select the Access Control Policies option from the left-hand menu. Then modify the Default policy.
Click on the "+" icon next to the Authentication Schemes field to add the "RADIUS" option.

Then click on OK to confirm settings.
Click on Send Changes and then click on Activate.

Configure Mirket

To enable Mirket to receive authentication requests from Barracuda, follow these steps:

Define Barracuda as a RADIUS client resource within Mirket.
Create an authentication policy for the Barracuda RADIUS client resource or include it in an existing authentication policy.
Attach the Barracuda resource to the Mirket Radius.

Add Barracuda CloudGen as a Resource in Mirket with Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway from the Configuration > Gateway. To add a Radius Gateway to the Mirket, follow these steps:

Go to Configuration > Gateway and click on the Add Radius Gateway button.
On the displayed screen, enter a name for your Radius Gateway in the Name field.
Enter the SAM value of the gateway in the Sam Value field. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls.
Enter the IP address of the server where the gateway is installed in the Host IP Address field.
Enter the authentication port value you set for the gateway in the Auth Port field. The default value is 1812.
Enter the accounting port value you specified for the gateway in the Acc Port field. The default value is 1813. Note: After completing these fields, you must create a RADIUS client for the newly created RADIUS Gateway.
Click on the Add Radius Client option at the bottom of the displayed screen.
Enter a name for your Radius Client in the Radius Client field.
Enter the IP address of the client(firewall) that will communicate with the gateway in the IP Address field.
Enter the secret key that the client will communicate with the gateway in the Secret Key field.

Click on the Save button to confirm the settings.

Configuring Radius Gateway

After creating the Radius Gateway, click on the Download > Config from the menu on the right side of the gateway.

This option will generate a script related to the gateway, which will be displayed from the RADIUS Setup config file. The config file will automatically begin downloading once this option is selected.

Replace the existing config file in the "C:\MirketRadius" directory with the downloaded file. Alternatively, copy the displayed script and paste it into the config file in "C:\MirketRadius".

Then, restart the Mirket Radius Service.

You can check whether the Radius Gateway you created is active by navigating to Configuration > Gateway.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user or group in Mirket.

If it is preferred to use a local user, you can first create a local group and then create a local user and make the user a member of the group. Alternatively, you can create a local user without creating a local group.

If it is preferred to use LDAP users, the priority External Source is created by pulling users from Active Directory or OpenLDAP in Mirket. Note: Before proceeding, ensure that you have installed Mirket LDAP Gateway. (Refer to create LDAP Gateway.)

Add a Radius Rule to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.).

First, you should follow these steps:

Go to Configuration > Radius Rules.
Click on the Add Radius Rule button.
On the displayed screen, enter a name for the rule in the Name field.
Enter the rule description in the Description field.
Select the Radius Client to which the rule will apply from the Radius Client dropdown list.
Enter the source IP addresses to which the rule will apply in the Source Adress field.
Select the source countries where the rule will be applied from the Source Country dropdown list.
Click on the Next button.

Specify whether the rule will be applied to a user or a group.
After specifying, click on the Next button.

Select the users or groups to which the rule will apply. Transfer your selections to the Selected Users/Groups table by clicking the arrow icon next to the Available Users/Groups table.
Click on the Next button.

Select the time period when the rule will run.
- All: The rule will run every day.
- Recurring: The rule will run on the specified days and times.
- One Time: The rule will run within the date range you specify.
After selecting, click on the Next button.

Specify whether the user or group will be granted access based on the rule in the Action field.
Select the authentication provider to which the rule will apply from the Auth Method dropdown list.

Click on Save to confirm the settings.

Test the Integration

To validate the integration between Mirket MFA and your Barracuda CloudGen firewall, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

In this example, we illustrate the use of the Approve/Deny authentication method.

Access the Barracuda CloudGen firewall using Barracuda NextGen Admin credentials to proceed.
Go to Configuration > Configuration Tree > Box > Virtual Servers > S1 > Assigned Services > VPN-Service > SSL-VPN > Native Apps.
Click on the "+" icon in the Native Apps section and then add an RDP App.

Launch the CudaLaunch client application, which can be downloaded from the Barracuda NG Download Portal.
Input your external IP address of the Barracuda CloudGen firewall and then click on Connect.

Click on the "Yes" option in the "Server certificate error dialog box".

Enter your Mirket username in the Username field.
Input your password in the RADIUS Password field.
Click on Log in. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.