Use Two-Factor Authentication with Mobile VPN with IPSec
Two-factor authentication is a user authentication method that requires the user to supply two pieces of information to authenticate. The first factor is the password associated with the user name. The second factor could be a one time password or PIN that changes each time the user authenticates. If you use a RADIUS server that supports two-factor authentication, you can use two-factor authentication with the WatchGuard IPSec Mobile VPN client for Windows or Mac OS X.
Two-factor authentication is not supported by the native Mac OS X VPN client, or the Shrew Soft IPSec VPN client.
Configure the RADIUS Server
Configure two-factor authentication on the RADIUS server. To complete these steps, review the documentation from your RADIUS vendor.
- Configure a group for the mobile VPN users, and add all Mobile VPN users who you want to authenticate to the RADIUS server to this group.
- Configure two-factor authentication for the mobile users on your RADIUS server.
- Add the IP address of the Firebox to the RADIUS server.
- For RADIUS, VASCO, or SecurID, make sure that the RADIUS server sends a Filter-Id attribute (RADIUS attribute 11) when a user successfully authenticates. This tells the Firebox what group the user is a member of. The value for the Filter-Id attribute must match the name of the Mobile VPN group as it appears in the Fireware RADIUS authentication server settings.
Configure the Firebox
To use RADIUS server authentication for your Mobile VPN with IPSec users, you must complete these steps:
- Configure RADIUS Server Authentication
- Configure the Firebox for Mobile VPN with IPSec
- Generate Mobile VPN with IPSec Configuration Files
- Import the End-User Profile
How Two-Factor Authentication Works with the VPN Client
When a user authenticates from the VPN client, the VPN client sends the username and password to the Firebox. The Firebox sends the username and password to the RADIUS server. If the user and password are valid, and if two-factor authentication is enabled for the user, the RADIUS server sends an access-challenge message to the Firebox to request the second factor. The Firebox uses information from the access-challenge to prompt the VPN client for the second authentication factor.
Here are the communication steps between the VPN client, the Firebox, and the RADIUS server:
- The VPN client prompts the user for username and password credentials.
- The VPN client sends the credentials to the Firebox.
- The Firebox send a RADIUS Access-Request message, with the credentials, to the RADIUS server.
- The RADIUS server sends an Access-Challenge with a reply-message (Attribute 18) to the Firebox. This message includes text for the user about the second authentication method.
- The Firebox sends the reply-message attribute text to the VPN client.
- The VPN client displays the instructions to the user in a dialog box.
- The user types the one-time password or PIN in the dialog box.
- The VPN client sends the second factor to the Firebox.
- The Firebox sends the second factor to the RADIUS server with the username.
- If the second factor is valid, the RADIUS server sends an Access-Accept message and the Firebox allows the connection.
If any of these steps fail, the RADIUS server sends the Firebox an Access-Reject message, and authentication fails.