Configure the External Authentication Server
If you create a Mobile VPN user group that authenticates to a third-party server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group.
If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec.
For RADIUS, VASCO, or SecurID, make sure that the RADIUS server sends a Filter-Id attribute (RADIUS attribute 11) when a user successfully authenticates, to tell the Firebox what group the user belongs to. The value for the Filter-Id attribute must match the name of the Mobile VPN group as it appears in the Fireware RADIUS authentication server settings. All Mobile VPN users that authenticate to the server must belong to this group.
The Shrew Soft VPN client is not compatible with 2-factor authentication. You must use the WatchGuard IPSec Mobile VPN Client if you want to use Vasco RADIUS or RSA SecurID authentication servers.