Configure Network Settings > Set Up a WatchGuard AP Device > Configure AP Devices in the Gateway Wireless Controller > Configure RADIUS Server Authentication with Active Directory for Wireless Users

Configure RADIUS Server Authentication with Active Directory for Wireless Users

Before you configure your Firebox to use your Active Directory and RADIUS servers to authenticate wireless users, make sure that the settings described in this section are configured on your RADIUS and Active Directory servers. Windows 2016, 2012 R2, 2008, and 2003 Server are the supported RADIUS server platforms.

For complete instructions to configure your RADIUS server or Active Directory server, see the vendor documentation for each server.

Configure NPS for a Windows 2016, 2012 R2, or 2008 Server

  • In Windows Server Manager, make sure NPS is installed with a Network Policy and Access Service role that uses the Network Policy Server role service.
  • Add a New Radius Client to NPS that includes the IP address of your Firebox, uses the RADIUS Standard vendor, and set a manual shared secret for the RADIUS client and Firebox.
  • Add a network policy with these settings:
    • Select the Active Directory user group that includes the wireless users you want to authenticate.
    • Specify Access granted as the access permissions for the policy, and do not specify an EAP type.
    • Add the attribute Filter-ID to the policy and specify the wireless user groups as the value. Make sure to remove Framed Protocol and Service-Type from the Attributes list.

For more information, see Configure NPS for Windows Server 2016 or 2012 R2 or Configure NPS for Windows Server 2008 in the WatchGuard Knowledge Base.

Configure IAS for a Windows 2003 Server

  • On your Windows 2003 Server, make sure that the Internet Authentication Service (IAS) networking service is installed.
  • In the IAS console, add a new RADIUS client for your Firebox that uses the device name and IP address of your Firebox for the Friendly name and Client address. Make sure to select the RADIUS Standard for the Client-Vendor value and set a shared secret for the RADIUS client and Firebox.
  • From the IAS console, add a custom new remote access policy with these settings:
    • Add the Windows-Group attribute to the policy.
    • Select the Active Directory user group that includes the wireless users you want to authenticate.
    • For the permissions setting, specify Grant remote access permission.
    • Add the attribute Filter-ID to the policy and specify the wireless users group as the value.

Configure Active Directory Settings

When you configure these settings for your Active Directory server, you enable your RADIUS server to contact your Active Directory server for the user credentials and group information stored in your Active Directory database.

  • In Active Directory Users and Computers on your Active Directory server, make sure that the remote access permissions are configured to Allow access to users.
  • Register NPS or IAS to your Active Directory server.

About RADIUS Single Sign-On

In Fireware OS v11.11 and higher, you can use RADIUS Single Sign-On for wireless clients when you use WPA and WPA2 Enterprise authentication. For more information on RADIUS Single Sign-On, see About RADIUS Single Sign-on.

Give Us Feedback     Get Support     All Product Documentation     Technical Search