OneSpan Authentication Server Integration Guide

Deployment Overview

This document describes how to integrate OneSpan Authentication Server with a WatchGuard Firebox. You can use the combination of these two products to set up a more secure remote connection between the outside world and your company’s internal network.

OneSpan Authentication Server supports integration into an existing environment with a RADIUS Server, Active Directory Server or LDAP Server. In this document, we use a RADIUS Server as an example. To demonstrate user authentication in this document, we use the WatchGuard Mobile VPN with SSL client.

In this document, we describe how to configure the OneSpan Authentication Server and Firebox to work together.

Integration Summary

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware version 12.7
  • OneSpan Authentication Server version 3.21.0.5607

Test Topology

Screenshot of test topy

OneSpan Authentication Server Configuration

To start, we must configure the settings in OneSpan Authentication Server.

Configure Users and Policies

Log in to the OneSpan Authentication Server.

  1. Select Users > Create.

Screenshot of OneSpan

  1. In the User ID text box, type the user name.
  2. In the Enter static password and Confirm static password text boxes, type the static password for this user account.

Screenshot of OneSpan

  1. Click Submit.
  2. Select Policies > Create.

Screenshot of OneSpan

  1. In the Policy ID text box, type a name for the policy.

Screenshot of OneSpan

  1. Click Submit.
  2. Select Policies > List.
  3. Select the policy you created.
  4. From the Policy tab, click Edit.

Screenshot of OneSpan

  1. From the Local Authentication drop-down list, select the suitable authentication method. In our example, we select DIGIPPASS/Password during Grace Period.

Screenshot of OneSpan

  1. Select User tab.
  2. Click Edit.

Screenshot of OneSpan

  1. If you have a domain, in the Account Constraints section, in the Default Domain text box type your domain.

Screenshot of OneSpan

  1. Click Save.
  2. Select RADIUS tab.
  3. Click Edit.

Screenshot of OneSpan

  1. In the RADIUS Protocol Settings section, from the Supported Protocols drop-down list, select Any.
  2. Click Save.

Screenshot of OneSpan

Add the Firebox as a Client

In the Clients configuration, you specify the location from which OneSpan will accept requests and the protocol it uses. To do this, you must add the Firebox as a RADIUS client.

  1. Select Clients > Register.

Screenshot of OneSpan

  1. From the Client Type drop-down list, select RADIUS Client.
  2. In the Location text box, type the Firebox interface IP address. This interface will receive the RADIUS request. This is usually the Trusted or Optional interface.
  3. From the Policy ID drop-down list, select the policy that you created in the previous section.
  4. In the Shared Secret and Confirm Shared Secret text boxes, type the shared secret.
    This shared secret must match the shared secret you configure in the RADIUS server settings on the Firebox.
  5. If necessary, in the Character Encoding text box, type the encoding used. If you do not use encoding, leave this field empty.

Screenshot of OneSpan

  1. Click Submit.

Assign a DIGIPASS to Users

OneSpan enables users to log in with a One-Time Password (OTP). The DIGIPASS is a device that generates OTPs for the user.

To enable a user to use an OTP as part of the password, you must assign a DIGIPASS to the user.

  1. Select DIGIPASS > List.

Screenshot of OneSpan

  1. Click Assign.
  2. Follow the wizard to finish the assignment.

If a user does not have a DIGIPASS assigned to them, they can use the static password to authenticate and log in. If a DIGIPASS is assigned to the user, the user can assign a DIGIPASS token password to DIGIPASS token, then use the DIGIPASS token password and the OTP(shown on the DIGIPASS token) to authenticate and log in. See the OneSpan documentation for more details.

Firebox Configuration

This configuration procedure uses Fireware Web UI. You can also use Policy Manager to complete these steps.

Configure the RADIUS Server on your Firebox

To authenticate with OneSpan Authentication Server, you must enable the RADIUS server and configure the settings on the Firebox.

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Authentication > Servers > RADIUS.
  3. Click Add.
  4. In the IP Address text box, type the IP address of the OneSpan Authentication Server.
  5. In the Port text box, type the port used in OneSpan Authentication Server for RADIUS authentication. The default port is 1812.
  6. In the Passphrase and Confirm text boxes, type the shared secret you configured for the RADIUS client on the OneSpan Authentication Server.
  7. In the Timeout text box, type 30.

Screenshot of the Firebox RADIUS server settings.

  1. Click Save.

Add Users

On the Firebox, add a new user to log in to the RADIUS server.

  1. Select Authentication > Users and Groups.
  2. Click Add.

Screenshot of the Add User or Group window.

  1. For Type, select User.
  2. In the Name text box, type the same user name you created on the OneSpan Authentication Server.
  3. From the Authentication Server drop-down list, select the RADIUS server you created in the previous section.
  4. Click OK.
    The user is added to the Users and Groups list on the Firebox.

Screenshot of firebox

  1. Click Save.

Configure RADIUS Authentication for Mobile VPN with SSL

To use RADIUS authentication for user connections with the Mobile VPN with SSL client, enable Mobile VPN with SSL and configure it to use RADIUS for authentication.

  1. Select VPN > Mobile VPN > SSL.
  2. In the SSL section, click Manually Configure.
  3. Select the Activate Mobile VPN with SSL check box.

Screenshot of firebox

  1. In the Primary text box, type the public IP address (external IP address) or domain name of the Firebox. This is the IP address or domain name that Mobile VPN with SSL clients connect to.
  2. Select the Authentication tab.
  3. Under Authentication Server Settings, from the drop down list, select the RADIUS server you created in the previous section. Click Add.
  4. To set this as a the default authentication server, select the RADIUS server in the list and click Move Up.
  5. In the Users and Groups section, select the check box next to the name of the user you created in the previous section.

Screenshot of firebox

  1. Click Save.

Test the Integration

To test the integration, we use Mobile VPN with SSL to test user authentication.

Download the Mobile VPN with SSL Client Software

  1. Select VPN > Mobile VPN > SSL.
  2. Click Download Client.
  3. Download and install the VPN client for your operating system

Screenshot of firebox

Mobile VPN with SSL Client Authentication

After the user downloads and installs the VPN client, they use the user name and password configured on the OneSpan Authentication Server to connect with the Mobile VPN with SSL client.

  1. Launch the Mobile VPN with SSL client.

Screenshot of firebox

  1. In the Server text box, type the Firebox IP address that you configured in the Mobile VPN settings on the Firebox in the previous section.
  2. In the User name text box, type the user name configured on the OneSpan Authentication Server.
  3. In the Password text box, type the password. Remember to append the OTP shown on the screen of the DIGIPASS to the end of static password. Do not add a space between the static password and the OTP.
  4. Click Connect.
    The Mobile VPN with SSL client shows the status Connected.