Configure OneSpan Server Authentication

OneSpan server authentication uses the OneSpan Authentication Server (IAS) to authenticate remote users on a company network through a RADIUS or web server environment. OneSpan also supports multiple authentication server environments. The OneSpan one-time password token system enables you to eliminate the weakest link in your security infrastructure—the use of static passwords.

To configure OneSpan server authentication, use the RADIUS server settings. The Authentication Servers page does not have a separate OneSpan configuration.

To use OneSpan server authentication with your Firebox, you must:

  • Add the IP address of the Firebox to the OneSpan Authentication Server configuration, as described in the documentation from your OneSpan vendor.
  • Enable and specify the OneSpan Authentication Server in your Firebox configuration.
  • Add user names or group names to your policies.

To understand how to integrate the Firebox with a OneSpan Authentication Server, go to OneSpan Authentication Server Integration Guide.

  1. Select Authentication > Servers.

    The Authentication Servers page appears.
  2. From the Server list, select RADIUS.

    The RADIUS server settings appear.

Screen shot of the RADIUS server settings

  1. To enable the OneSpan Authentication Server, select the Enable RADIUS Server check box.
  2. In the IP Address text box, type the IP address of the OneSpan Authentication Server.
  3. In the Port text box, make sure that the port number OneSpan Authentication Server uses for authentication appears. The default port number is 1812.
  4. In the Shared Secret text box, type the shared secret between the device and the OneSpan Authentication Server.
    The shared secret is case-sensitive, and it must be the same on the Firebox and the OneSpan Authentication Server. The shared secret cannot include only space characters.
  5. In the Confirm Secret text box, type the shared secret again.
  6. In the Timeout text box, type the amount of time the device waits for a response from the authentication server before it tries to connect again.
  7. In the Retries text box, type the number of times the device tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
  8. In the Dead Time text box, type the amount of time after which an inactive server is marked as active again.
    The default value is 3 minutes. In Fireware v12.1.1 or lower, the default value is 10 minutes.
  9. From the Dead Time drop-down list, select Minutes or Hours to set the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try to connect to this server until it is marked as active again.
  10. Type or select the Group Attribute value. The default group attribute is FilterID, which is OneSpan attribute 11.
    The group attribute value is used to set which attribute carries the user group information. You must configure the OneSpan Authentication Server to include the Filter ID string with the user authentication message it sends to the device. For example, engineerGroup or financeGroup. This information is then used for access control. The device matches the FilterID string to the group name configured in the device policies.
  11. To add a backup OneSpan Authentication Server, in the Secondary Server Settings section, select the Enable Secondary RADIUS Server check box.
  12. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and secondary OneSpan Authentication Server.
    For more information, go to Use a Backup Authentication Server.
  13. Click Save.
  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the RADIUS tab.

Screen shot of the Authentication Servers dialog box, RADIUS tab

  1. To enable the OneSpan Authentication Server, select the Enable RADIUS server check box.
  2. In the IP Address text box, type the IP address of the OneSpan Authentication Server.
  3. In the Port text box, make sure that the port number OneSpan uses for authentication appears. The default port number is 1812.
  4. In the Secret text box, type the shared secret between the device and the OneSpan Authentication Server.
    The shared secret is case-sensitive, and it must be the same on the device and the OneSpan Authentication Server. The shared secret cannot include only space characters.
  5. In the Confirm Secret text box, type the shared secret again.
  6. In the Timeout text box, type or select the amount of time the device waits for a response from the authentication server before it tries to connect again.
  7. In the Retries text box, type or select the number of times the device tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
  8. In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again.
    The default value is 3 minutes. In Fireware v12.1.1 or lower, the default value is 10 minutes.
  9. From the Dead Time drop-down list, select Minutes or Hours to set the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try to connect to this server until it is marked as active again.
  10. Type or select the Group Attribute value. The default group attribute is FilterID, which is OneSpan attribute 11.
    The group attribute value is used to set which attribute carries the user group information. You must configure the OneSpan server to include the Filter ID string with the user authentication message it sends to the device. For example, engineerGroup or financeGroup. This information is then used for access control. The device matches the FilterID string to the group name configured in the device policies.
  11. In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. Select minutes or hours from the drop-down list to change the duration.
    After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try to connect to this server until it is marked as active again.
  12. To add a backup OneSpan Authentication Server, select the Backup Server Settings tab, and select the Enable a backup RADIUS server check box.
  13. Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and secondary OneSpan Authentication Server.
    For more information, go to Use a Backup Authentication Server.
  14. Click OK.
  15. Save the Configuration File.

Related Topics

About Third-Party Authentication Servers

Use Users and Groups in Policies