SafeNet Authentication Service (SAS) Integration Guide

SafeNet Authentication Service® (SAS) uses the RADIUS protocol to communicate with many VPN and access-gateway solutions. This document describes how to integrate the SAS two-factor authentication solution with the WatchGuard Mobile VPN with SSL client.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox with Fireware v11.10.x or higher
  • SAS, the SafeNet cloud-based authentication service
  • MobilePASS

How SAS Works

This diagram shows the data flow of a multi-factor authentication transaction with the WatchGuard Firebox.

  1. A user logs on to the WatchGuard Firebox with a One Time Password (OTP).
  2. The Firebox sends a RADIUS request with the user’s credentials to SAS for validation.
  3. SAS sends the authentication reply back to the Firebox.
  4. The user is granted or denied access through the Firebox based on the response from SAS.

Configure SAS

The deployment of SAS multi-factor authentication for a WatchGuard Firebox with the RADIUS protocol requires:

  • User stores synchronized to SAS
  • Authenticator assignment in SAS
  • WatchGuard Firebox added as an authentication node in SAS

Synchronize User Stores to SAS

Before SAS can authenticate users, you must create a user store in SAS for the users who must use multi-factor authentication. User records are created in the SAS user store with one of the these methods:

  • Manually — Use the Create User shortcut to create one user at a time
  • Manually — Import one or more user records in a flat file
  • Automatically — Use the SAS Synchronization Agent to synchronize with your Active Directory/LDAP server

For more information on how to import users to SAS, see the section on user creation in the SafeNet Authentication Service Subscriber Account Operator Guide.

In this document, we show you how to use the Create User shortcut to manually create users. To learn more about how to create users, see the SafeNet documentation.

  1. Log in to the SAS Web UI with your Operator account and password.
  2. Click Create User.
  3. Type the user's first name, last name, user ID, and email address. In this example, we create a user named user1.
  4. Click Add.

Authenticator Assignment in SAS

SAS supports many authentication methods that can be used as secondary authentication factors for users who authenticate through their WatchGuard Firebox:

  • eToken PASS
  • RB-1 keypad token
  • KT-4 token
  • SafeNet GOLD
  • SMS tokens
  • MP-1 software token
  • GrIDsure authentication
  • MobilePASS

Authenticators can be assigned to users in two ways:

  • Provisioned Manually — Assign an authenticator to users one at a time
  • Provision Rules — Set rules in SAS that are triggered when group memberships and other user attributes change (an authenticator is assigned automatically to the user)

    For more information about how to provision the different authentication methods to the users in the SAS user store, see the provisioning rules section in the SafeNet Authentication Service Subscriber Account Operator Guide.

In this document, we show you how to manually provision a MobilePASS authenticator and assign it to the user named user1.

  1. From the user1 detail page, select Tokens.
  2. Click Provision.
  3. From the Select Authentication Type list, for Authentication Type select MobilePASS.
    An email message is sent to the email address for your user.

  1. Open the email message and click the link to enroll your MobilePASS token. Below is an example email message.

  1. If the MobilePASS token is enrolled successfully, you see an image similar to this one.

Add WatchGuard Firebox as an Authentication Node in SAS

You must add a RADIUS entry in the SAS Authentication Nodes module so that SAS can receive RADIUS authentication requests from your Firebox. To do this, you need the IP address of your Firebox and the shared secret to be used by both SAS and the Firebox.

To add an authentication node in SAS:

  1. Log in to the SAS console with the Operator account and password.
  2. Select Comms > Auth Nodes.

  1. Click the Auth Nodes link.

  1. Click Add.
  2. In the Add Auth Nodes tab, in the Auth Node Name text box, type a name to describe this authentication node.
  3. In the Host Name text box type the name of the host that will authenticate with SAS.
  4. In the Low IP Address in Range text box, type the IP address of the host that will authenticate with SAS. This is the Firebox IP address that Mobile VPN with SSL clients connect to, which is usually the primary IP address of the Firebox external interface.
  5. Select the Configure FreeRADIUS Synchronization check box.
  6. In the Shared Secret and Confirm Shared Secret text boxes, type a shared secret to use for communication with the Firebox.

  1. Click Save.
    The Auth Node is added to the system.

Configure the Firebox

In this example, we use Fireware Web UI to configure our Firebox. You can also use Policy Manager to complete these steps.

Configure the Firebox to use RADIUS server authentication

To authenticate with SAS, you must enable the RADIUS server on the Firebox.

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Authentication > Servers > RADIUS.
  3. Select the Enable RADIUS Server check box.

  1. In the IP Address text box, type the IP address of the SAS.
  2. In the Port text box, type the port used in SAS for RADIUS authentication. The default is port 1812.
  3. In the Passphrase and Confirm text boxes, type the shared secret you configured for the Auth Node on SAS.
  4. Click Save.

Add Users

On the Firebox, add a new user to log on to the RADIUS server.

  1. Select Authentication > Users and Groups.
  2. Click Add.
  3. Select User.
  4. In the Name text box, type the same user name you created on the SAS. In our example, we type user1.
  5. From the Authentication Server drop-down list, select RADIUS.
  6. Click OK.
    The user is added to the Users and Groups list on the Firebox.

  1. Click Save.

Configure Mobile VPN with SSL with RADIUS Authentication

To use RADIUS authentication for user connections with the Mobile VPN with SSL client, enable Mobile VPN with SSL and configure it to use RADIUS for authentication.

  1. Select VPN > Mobile VPN with SSL.
  1. Select the Activate Mobile VPN with SSL check box.

  1. In the Primary text box, type the IP address to which clients using Mobile VPN with SSL will connect. This is an IP address of the Firebox.
  2. Select Authentication.
  3. Select RADIUS (Default) to use the RADIUS authentication server.

  1. Click Save.

Test the Integration

In this example, we use the Mobile VPN with SSL client to test user authentication.

Download the mobile VPN with SSL client software from the Firebox

  1. Browse to the SSL VPN web portal. The IP address is https://<IP of Firebox>:4100/sslvpn.html.

  1. In the Username text box, type the user name of a user defined in SAS.
  2. In the Password text box, type the password. In our example, we use MobilePASS to generate a passcode for use in the Password text box.

  1. If necessary, from the Domain drop-down list, select RADIUS.
  2. Click Login.
    The next authentication page appears if this user is authenticated.

  1. Generate a new passcode in MobilePASS and type the passcode in the text box.
  2. Click Apply.
    After successful authentication, the download page appears.

  1. Download the appropriate version of the VPN client for your operating system.

Mobile VPN with SSL Client Authentication

After you download and install the Mobile VPN with SSL client on your computer, you can use the same authentication process to connect to the Firebox with the SSL VPN client.