Entrust Datacard SMS PASSCODE and Firebox Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure Firebox and Entrust Datacard SMS PASSCODE.

In our integration, SMS PASSCODE and Network Policy Server (NPS) are installed on one Windows Server. NPS is the Microsoft implementation of RADIUS.

Integration Summary

The hardware and software used to complete the steps outlined in this document include:

  • Entrust Datacard SMS PASSCODE
    • Version 11.1 (build 26301)
  • WatchGuard Firebox
    • Firebox with Fireware v12.5.1 or higher
  • NPS installed on Windows Server 2016 Standard

Test Topology

This diagram shows the test topology used for this integration.

CensorNet MFA SMSPASSCODE Topology

SMS PASSCODE Server includes:

  • SMS PASSCODE Database Service
  • SMS PASSCODE Web Administration Interface
  • SMS PASSCODE Authentication Backend Service
  • SMS PASSCODE Transmitter Service
  • SMS PASSCODE RADIUS Protection

SMS PASSCODE Cloud Service does not need to be configured.

Before You Begin

Before you begin these procedures, make sure that you:

  • Configure Windows Server 2016 as Active Directory Domain Services (AD DS)
  • Add groups and users in AD DS
  • Install and configure Network Policy Server (NPS) on Windows Server 2016
  • Configure Mobile VPN with SSL on your Firebox
  • Download and install the Mobile VPN with SSL client

To configure NPS, see the documentation on the Microsoft website.

To configure Mobile VPN with SSL on the Firebox, see Mobile VPN with SSL.

To install the Mobile VPN with SSL client, see Install and Connect the Mobile VPN with SSL Client.

Configure the Firebox for RADIUS

To configure a RADIUS server connection on Firebox:

  1. Log in to the Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication> Servers > RADIUS.
  3. Click Add to add a new RADIUS server.
  4. RADIUS Server Settings on the Firebox

  5. In the Domain Name text box, type the domain name of the NPS Server.
  6. Select the Enable RADIUS Server check box.
  7. In the IP Address text box, type the IP address of the NPS Server.
  8. In the Port text box, type the port used in NPS Server for RADIUS authentication. The default port is 1812.
  9. In the Shared Secret and Confirm Secret text boxes, type the shared secret you configured for the RADIUS client on the NPS Server.
  10. In the Dead Time text box, type 0.

If a user does not respond to a multi-factor authentication (MFA) challenge, the Firebox marks the RADIUS server as dead for the Dead Time duration. The Firebox does not send authentication requests for other users to the RADIUS server during this time. To avoid this issue, specify a Dead Time of 0 minutes if you configure only a primary RADIUS server. If you also configure a backup RADIUS server, specify a Dead Time of 1 minute.

  1. Keep all other default settings.
  2. Click Save.

Next, add RADIUS users and groups on the Firebox:

  1. Select Authentication> Users and Groups.
  2. Click Add.
  3. For Type, select User.
  4. In the Name text box, type the same user name you created on the NPS Server.
  5. From the Authentication Server drop-down list, select RADIUS.

Add User or Group dialog box on the Firebox

  1. Click OK.
    The user is added to the Users and Groups list on the Firebox.
  2. Click Add.
  3. For Type, select Group.
  4. In the Name text box, type the same Group name you created on the NPS Server.
  5. From the Authentication Server drop-down list, select RADIUS.

Add User or Group dialog box on the Firebox

  1. Click OK.
    The Group is added to the Users and Groups list on the Firebox.

Users and Groups list on the Firebox

  1. Click Save.

For more information about RADIUS configuration on the Firebox, see Configure RADIUS Server Authentication.

Install and configure SMS PASSCODE

  • Before you install SMS PASSCODE, make sure the Mobile VPN with SSL client can connect to the Firebox using NPS as a RADIUS server.
  • In the SMS PASSCODE installer:

    1. Select Install Core Components and Install Authentication Client Protections. Click Next.

    Installation Scope dialog box in SMS PASSCODE

    1. On the Authentication Clients dialog box, select RADIUS Protection. Click Next.

    Authentication Clients dialog box in SMS PASSCODE

    1. After SMS PASSCODE installs successfully, open the SMS PASSCODE administration site at http://localhost:2000.
    2. Select Users > Maintain Users.
    3. Click Add new user.
    4. In the Display name text box, type the display name for the user.
    5. In the Login (SAM) text box, type the domain name followed by the user name that you created on AD DS. Use this format: domainname\username.
    6. In the Phone number text box, type the mobile phone number that will receive the passcode.
    7. Keep all other default settings.
    8. Click Save.

    Basic Settings tab in SMS PASSCODE

    Test the Integration

    To test the integration:

    1. Launch the Mobile VPN with SSL client.
    2. In the Server text box, type the IP address configured in the Mobile VPN with SSL settings. This IP address should be the Firebox external interface IP address.
    3. In the User name text box, type the user name configured on the AD DS.
    4. In the Password text box, type the password. 

    Mobile VPN witth SSL connection box

    1. Click Connect.
      A passcode is sent to the mobile phone number you specified in the SMS PASSCODE settings.
    2. In the Enter Passcode dialog box, type the passcode you received on your phone.

    Enter Passcode dialog box

    1. Click OK. The Mobile VPN with SSL client connects.