Configure VASCO Server Authentication
VASCO server authentication uses the VACMAN Middleware software to authenticate remote users on a company network through a RADIUS or web server environment. VASCO also supports multiple authentication server environments. The VASCO one-time password token system enables you to eliminate the weakest link in your security infrastructure—the use of static passwords.
To use VASCO server authentication with your XTM device, you must:
- Add the IP address of the XTM device to the VACMAN Middleware server, as described in the documentation from your VASCO vendor.
- Enable and specify the VACMAN Middleware server in your XTM device configuration.
- Add user names or group names to the policies in Policy Manager.
To configure VASCO server authentication, use the RADIUS server settings. The Authentication Servers dialog box does not have a separate tab for VASCO servers.
From Fireware XTM Web UI:
- Select Authentication > Servers.
The Authentication Servers page appears.
- From the Server list, select RADIUS.
The RADIUS server settings appear.
- To enable the VACMAN Middleware server, select the
Enable RADIUS Server check box.
- In the IP Address text box, type the IP address of the VACMAN Middleware server.
- In the Port text box, make sure that the port number VASCO uses for authentication appears.
The default port number is 1812.
- In the Passphrase text box, type the shared secret between the XTM device and the VACMAN Middleware server.
The shared secret is case-sensitive, and it must be the same on the XTM device and the server.
- In the Confirm text box, type the shared secret again.
- In the Timeout text box, type the amount of time the XTM device waits for a response from the authentication server before it tries to connect again.
- In the Retries text box, type the number of times the XTM device tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
- Type or select the Group Attribute value. The default group attribute is FilterID, which is VASCO attribute 11.
The group attribute value is used to set which attribute carries the user group information. You must configure the VASCO server to include the Filter ID string with the user authentication message it sends to the XTM device. For example, engineerGroup or financeGroup. This information is then used for access control. The XTM device matches the FilterID string to the group name configured in the XTM device policies.
- In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts do not try to connect to this server until it is marked as active again.
- To add a backup VACMAN Middleware server, in the Secondary Server Settings section, select the Enable Secondary RADIUS Server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and secondary VACMAN Middleware server.
For more information, see Use a Backup Authentication Server.
- Click Save.
About Third-Party Authentication Servers
Use Authorized Users and Groups in Policies