Defining an Extended Authentication Group

MUVPN with extended authentication allows users to authenticate to a Windows NT or RADIUS authentication server instead of to the Firebox. For more information on extended authentication, see MUVPN with extended authentication.

 

If you want to use a third-party server for authentication, you must define an extended authentication group on the Firebox. The actual usernames and passwords for MUVPN users are stored on the authentication server itself and are not maintained by the Firebox.

 

From Policy Manager:

  1. Select Network => Remote User. Click the Mobile User VPN tab.
    The Mobile User VPN information appears.
  2. Select Extended Authentication Groups. Click Add. Click Next.
    3. The Mobile User VPN Wizard - Extended Authentication Group appears.
  3. Specify a name for the extended authentication group. Specify the passphrase used to encrypt the .wgx file for this group. Click Next.
  4. Select an authentication server for this group from the drop list. Click Next.
    The authentication server must already be set up using the Authentication Servers dialog box. For information on how to do this, see the WatchGuard Firebox System User Guide.
  5. Select whether this group will use a shared key or a certificate for authentication. Click Next.
  6. If you specified certificates, enter the configuration passphrase of your certificate authority, which is either the Firebox or a third-party CA device. Click Next.
    If you specify the passphrase of the Firebox, CA must be active on the Firebox. For information on activating the CA, see Activating the Certificate Authority on the Firebox.
  7. Specify the network resources to which this group will be allowed access. To add a new resource, click Add.
    The Advanced Mobile User VPN Policy Configuration dialog box appears.
  8. Use the Allow Access to drop list to select Network or Host. Type the IP address. Use the Dst Port, Protocol, and Src Port options to restrict access.
  9. If you plan to use a virtual adapter and route all of the remote users' Internet traffic through the IPSec tunnel, enable the checkbox marked Use default gateway on remote network. Click Next.
  10. Specify the virtual IP address pool (these can be virtual IP addresses on a false network, as described in IP Addressing). To add addresses, click Add and enter an address or address range. Click Next.
  11. Select an authentication method and encryption method for this group's connections. Enter a key expiration time in kilobytes, hours, or both.
    If you specify both, the key expires at whichever time arrives earliest.

Authentication
    MD5-HMAC (128-bit algorithm) or SHA1-HMAC (160-bit algorithm)

Encryption
    None (no encryption), DES-CBC (56-bit), or 3DES-CBC (168-bit)

  1. Click Next. Click Finish.
    2. The wizard closes and the group name appears on the Mobile User VPN tab. If you expand the plus signs (+) next to the entries, you can view the information .

 Configuring the external authentication server

Define a group on the server that has the same name as the extended authentication remote gateway. All MUVPN users that authenticate to the server must belong to this group.

 

 
 
 
 
 
 
 
 
 
 
 
 
 

 

Related topics:

Defining a User for a Firebox Authenticated Group

Modifying an existing Mobile User VPN entry

Allowing Internet access through MUVPN tunnels

Setting Advanced Preferences

 

 

Return to Top

Copyright © 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use