84 Barracuda SSL VPN Administrator’s GuideAuthentication SchemesAn Authentication Scheme is simply a container for any number of Authentication Modules, such asOTP, Passwords, and Certificates. This approach means that multi-tiered authentication can easily beimplemented and even linked to existing authentication systems. The Authentication Scheme is thenused as the basis of the login policy. The Barracuda SSL VPN allows for more than one of theseschemes to be created and used.All Authentication Schemes defined are visible from Manage System > Access Control >Authentication Schemes, and are listed in order of priority.The following types of authentication can be used to control the level of access to a module:The above table also shows where an Authentication Module can be placed in relation to othermodules. Any module marked above with primary means that it can be positioned first in anAuthentication Scheme whilst any module defined as secondary cannot be first in a scheme. Most ofthe Authentication Modules can be positioned anywhere first or second. Within the application itself,only those that cannot be first are marked.The Authentication Scheme system enforces this by disallowing a secondary scheme to be positionedat the top of the chain. It is important to note that certain Authentication Modules can only be usedby themselves; that is they cannot be combined with other Authentication Modules.When a user starts the authentication process they first have to enter a Username. Once the Usernameis submitted, checks are made to determine the correct authentication method to be used. Thisapproach allows for different authentication methods to be used for different groups of users. Forexample, users attached to a Sales Policy may only have to enter a Username and Password, whereasSales Management may be attached to a Policy that uses a Password and PIN authentication scheme.Note: If only one Authentication Scheme is configured on the system and only one User Database isconfigured, then users will be prompted for their username and password on the same screen. If morethan one Authentication Scheme is configured they will be prompted for username (and UserDatabase if more than one is in use). Once accepted another page will prompt for the password.The built in authentication schemes allow those wanting to build a single, double or even a triplefactored process to do so with ease. So, if only the default Authentication Scheme has been defined,the Login page presented to the user will have:• Language selection• Username entryAuthentication Type For More Information:Client Certificate Primary/Secondary page 85IP Address Primary/Secondary page 86Password Primary/Secondary page 86PIN Primary/Secondary page 87Public Key Primary/Secondary page 87RADIUS Primary/Secondary page 89OTP (One-Time Password) Secondary page 90Personal Questions Secondary page 90