Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Active Directory Users

Deployment Overview

This document describes how to set up AuthPoint multi-factor authentication (MFA) for Active Directory users that use Mobile VPN with IKEv2. To configure AuthPoint MFA for Azure Active Directory users that use Mobile VPN with IKEv2, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users.

Your WatchGuard Firebox must already be configured and deployed before you set up MFA with AuthPoint.

If the IKEv2 VPN client is only used by local AuthPoint users, you do not have to configure Microsoft NPS or enable MS–CHAPv2. NPS is only required for users synced from Active Directory or an LDAP database.

AuthPoint supports RADIUS authentication with PAP and MS-CHAPv2. 802.1x authentication is not supported.

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.7.2 and higher
  • Firebox with Fireware v12.7.1 and lower
  • AuthPoint Gateway v6.1 or higher
  • Windows Server 2019 with Microsoft Network Policy Server (NPS) and Active Directory Domain Services

WatchGuard Firebox Authentication Data Flow with AuthPoint

AuthPoint communicates with various cloud-based services and service providers with the RADIUS protocol. This diagram shows the data flow of an MFA transaction for a WatchGuard Firebox.

With Fireware v12.7 or higher, the AuthPoint Gateway is only required to sync LDAP users and groups to AuthPoint. The Gateway is not used for user authentication or communication with NPS.

Screenshot of Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • If you have Fireware v12.7.2 or lower, we recommend that you have installed and configured v6.1 or higher of the AuthPoint Gateway (see About Gateways)
  • You have installed and configured Active Directory Domain Services
  • You have installed Network Policy and Access Services, which includes Network Policy Server (NPS)

Configure AuthPoint MFA for Firebox Mobile VPN with IKEv2

The steps to configure AuthPoint and your Firebox are different based on the version of Fireware that you have.