Our security policy requires us to to have the follow:
- Connect over VPN when outside the office
- Must use 2 factor authentication using RSA SecurID for VPN
- Must be connected to VPN prior to logging into Windows
Barracuda's Client to Site VPN client (Network Access Client for Barracuda) will only present the VPN connection capability at the windows logon screen if "Single Sign on" is checked in the client. However, if we use single sign on, then the process works as follows:
User enters username and [RSA PIN] + [RSA Token] > VPN connects > windows tries to pass the VPN credentials for windows login (this is where the problem is) and of course it fails, because it wants the AD username and password.
How can we make it so that either A) the user can enter the RSA token AND the user can enter the windows password or VPN authenticates and then waits for user to actually login to windows?
Any help would be greatly appreciated. I'm happy to elaborate more if needed.