Contents

Firebox Integration with AuthPoint

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard Firebox with AuthPoint, and configure your WatchGuard Firebox to integrate with AuthPoint RADIUS.

Your WatchGuard Firebox must already be configured and deployed before you set up MFA with AuthPoint. Your WatchGuard Firebox can be configured to support MFA in several modes. For this integration, we set up RADIUS with AuthPoint.

This integration was tested with firmware 12.1.B548280 of WatchGuard Firebox.

WatchGuard Firebox Authentication Data Flow with AuthPoint

AuthPoint communicates with various cloud-based services and service providers with the RADIUS protocol. This diagram shows the data flow of an MFA transaction for a WatchGuard Firebox.

Before You Begin

Before you begin these procedures, make sure that:

  • End-users can log in to the WatchGuard Firebox
  • A token is assigned to a user in AuthPoint
  • You have installed and configured the AuthPoint Gateway (see About Gateways)

Configure the Firebox

You must configure the RADIUS authentication settings and enable Mobile VPN with SSL on your Firebox.

Configure RADIUS Authentication

  1. Log in to the WatchGuard Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page appears.

  1. From the Authentication Servers list, select RADIUS.
  2. In the Primary Server Settings section, select the Enable RADIUS Server check box.
  3. In the IP Address text box, type the server name or IP address of the gateway that connects to the Firebox.
  4. In the Port text box, keep the default port setting of 1812. This is the port used for communication with the RADIUS server (AuthPoint Gateway).
  5. In the Passphrase and Confirm text boxes, type a shared secret key. This key is used to communicate with the RADIUS server (AuthPoint Gateway).
  6. Click Save.

Configure Mobile VPN with SSL

To allow secure, remote connections to your protected network, configure Mobile VPN with SSL on your Firebox. This configuration enables MFA for your users.

  1. Select VPN > Mobile VPN with SSL.

  1. Select the Activate Mobile VPN with SSL check box.
  2. In the Firebox IP Addresses or Domain Names section, in the Primary text box, type the domain name or public IP address of the Firebox.
  3. Click Save. When you save your changes, a default SSLVPN-Users user group is added.
  4. Select the Authentication tab.
  5. Click Add to add a group to authenticate.
  6. For Type, select Group.
  7. In the Name text box, type the name of this group. The name of this group must match the name of the AuthPoint group or Active Directory group your users belong to. If you use the default SSLVPN-Users group name, you must add an SSLVPN-Users group to AuthPoint or Active Directory.
  8. Click OK.

  1. Click Configure.
  2. In the Authentication Servers section, from the drop-down list select RADIUS. Click Add.
  3. In the Authentication Server list, select and remove all other items.
  4. Click Save.

Configure Mobile VPN with IPSec

You must configure mobile VPN with IPSec on your Firebox to allow secure, remote connections to your protected network. This configuration enables MFA for your users.

  1. Select VPN > Mobile VPN with IPSec

  1. Click Add to add a new group.
  2. In the Name text box, type a group name that matches the name of the AuthPoint group or Active Directory group the your users belong to.
  3. From the Authentication Server drop-down list, select RADIUS.
  4. In the Passphrase and Confirm text boxes, type a passphrase to encrypt the mobile VPN profile(.wgx file) that you distribute to users in this group. The passphrase can only use standard ASCII characters. If you use a certificate for authentication, this passphrase is also used to encrypt the exported certificate file you send to users.
  5. In the Firebox IP Addresses section,in the Primary text box, type the external IP address of the Firebox that the VPN client connects to.

  1. Select the Resources tab.
  2. Select the Allow All Traffic Through Tunnel check box.
  3. In the Virtual IP Address Pool section, click Add.

  1. From the Choose Type drop-down list, select Host Range IPv4.
  2. In the From and To text boxes, type a range for your virtual IP addresses. The range should be in your interface range. The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
  3. Click OK.

  1. Click Save.
  2. Select your group.
  3. From the Client drop-down list, select Shrew Soft VPN.
  4. Click Generate and save the <group name>.VPN file.

Configure AuthPoint

Before AuthPoint can receive authentication requests from your Firebox, you must specify the Firebox as a RADIUS resource in AuthPoint. You must also assign the Firebox resource to the user group that will authenticate through WatchGuard Firebox.

Add a RADIUS Resource in AuthPoint

From the AuthPoint management UI:

  1. From the navigation menu, select Resources.
  2. From the Choose a Resource Type drop-down list, select RADIUS Client. Click Add Resource.

  1. Configure the settings for all options on the RADIUS page.

Add an Access Policy to AuthPoint

You must have at least one user group in AuthPoint for authentication with WatchGuard Firebox, and you must assign an access policy for the WatchGuard Firebox resource to that group. If you already have a group, you do not have to add another group.

Your AuthPoint group name must match the group name on the authentication server and the group name you specified on your Firebox.

In the AuthPoint management UI:

  1. From the navigation menu, select Groups.
  2. To add a new group, click Add Group. If you already have a group that you want to use, click the Name of your group to edit it.

  1. In the Name text box, type a descriptive name for the group.
  2. (Optional) In the Description text box, type a description of the group.

  1. In the Access Policy section, click Add Policy.

  1. In the Add Policy dialog box, from the Resource drop-down list, select the resource you want to add an access policy for.
  2. (Optional) To require that users type their password before they authenticate for this resource, select the Require Password Authentication slider.
  3. Select the authentication options users in this group can choose from when they authenticate.

    For RADIUS resources, you can only choose OTP or Push. RADIUS resources cannot use the QR code authentication option.

  1. Click Add.
    The access policy for your resource is added to the list.

  1. Click Save.

Before you assign users to a group, you must add them to AuthPoint. You can manually add user accounts or import user accounts from your LDAP database. For more information on how to add user accounts, see Add User Accounts.

Bind the RADIUS Resource to a Gateway

To use RADIUS authentication with AuthPoint, you must have the AuthPoint Gateway installed on your corporate network and you must assign your RADIUS resources to the Gateway in the AuthPoint management UI. The Gateway functions as a RADIUS server. For more information, see About Gateways.

  1. From the navigation menu, select Gateway.
  2. Select the Name of the Gateway.
  3. In the RADIUS section, in the Port text box, type the port number used to communicate with the Gateway. The default ports are 1812 and 1645.
  4. In the Select a RADIUS resource drop-down list, select your RADIUS client resource.
  5. Click Save.

Test the Integration

To test the integration of AuthPoint and the configuration of your Firebox, you can authenticate with a mobile token on your mobile device. For RADIUS resources, you can choose one-time password (OTP) or push.

Mobile VPN with SSL

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

  1. Open your SSLVPN client.
  2. Type your AuthPoint user name and password.
  3. Approve the authentication request that is sent to your mobile device.
    You are logged in successfully.

Mobile VPN with IPSec

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

To authenticate with the Shrew Soft VPN client:

  1. Open your Shrew Soft VPN client.
  2. Select File > Import and import the <group name>.vpn config file.
  3. Select the <group name>.vpn config file. Click Connect.
  4. Type your AuthPoint user name and password.
  5. Approve the authentication request that is sent to your mobile device.
    You are logged in successfully.

To authenticate with the WatchGuard Mobile VPN client:

  1. Open your WatchGuard Mobile VPN client.
  2. Select Configuration > Profiles and import the <group name>.ini config file.(You should go back to step 15 of Configure Mobile VPN with IPSec section, to select the correspond client in drop-down list to generate the correct config file.)
  3. Click Add / Import, select Profile Import, click Next.
  4. Select your file, click Next to Finish.
  5. Select your profile as default, click OK.
  6. Click Connection > Connect, type your AuthPoint user name and password.
  7. Approve the authentication request that is sent to your mobile device.
    You are logged in successfully.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search