Configure RADIUS Authentication for a Firebox

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud.

RADIUS (Remote Authentication Dial-In User Service) authenticates local wired and wireless clients, and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.

To configure a cloud-managed Firebox to use RADIUS authentication, you can add a RADIUS server to an authentication domain, and then configure Fireboxes in your account to use that domain for authentication.

RADIUS Authentication Methods

A cloud-managed Firebox uses these authentication protocols for user authentication with a RADIUS server:

• Firewall authentication — PAP (Password Authentication Protocol)
• Mobile VPN authentication — EAP-MSCHAPv2 (Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol)
• Wireless authentication — EAP-PEAP with MSCHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol as the tunnel protocol)

Before You Begin

Before you configure your Firebox to use a RADIUS authentication server, you must have this information for each RADIUS server:

• Primary RADIUS server — IP address and RADIUS port
• Backup RADIUS server (optional) — IP address and RADIUS port
• Shared secret — Case-sensitive password that is the same on the WatchGuard Cloud authentication domain and on the RADIUS server
• Authentication methods — Configure your RADIUS server to allow the authentication method your Firebox uses, such as PAP, EAP-MSCHAPv2, or EAP-PEAP.

Configure RADIUS Authentication for a Cloud-Managed Firebox

To use RADIUS server authentication with a cloud-managed Firebox, you must:

• Add the IP address of the Firebox to the RADIUS server, to configure the Firebox as a RADIUS client.
• Add the RADIUS server to a WatchGuard Cloud authentication domain, and specify the server IP address and shared secret. For more information, go to Add an Authentication Domain to WatchGuard Cloud.
• If you have a backup RADIUS server, add it to the same authentication domain. For more information, go to Add Servers to an Authentication Domain.
• Add users or groups to the authentication domain. For more information, go to Add Users, Groups, and Devices to an Authentication Domain.
• Add the authentication domain to the Firebox configuration. For more information, go to Add an Authentication Domain to a Firebox.
• Select the user or group names in Firebox policies. For more information, go to Configure the Source and Destination in a Firewall Policy.
• For Enterprise RADIUS authentication for wireless Fireboxes, configure a Firebox network with a wireless SSID with WPA2 Enterprise or WPA3 Enterprise authentication. For more information, go to Configure Enterprise RADIUS Authentication for a Wireless Firebox and Configure Firebox Wireless Networks.

Related Topics

About Firebox Authentication Settings

Configure Firebox Wireless Networks

Configure RADIUS Authentication for an Access Point