SecureAuth Integration Guide

This document describes the steps to integrate SecureAuth with client authentication and software downloads for the WatchGuard Mobile VPN with SSL client.

SecureAuth offers a variety of two-factor authentication methods:

  • Time-based passcodes
  • Push-to-accept
  • Email one-time passcodes (OTP)
  • SMS OTP
  • Knowledge-based authentication (KBA/KBQ)

This document explains how to use the email OTP authentication method only. For information about other two-factor authentication methods, see the SecureAuth documentation.

Test Topology and Workflow

This diagram outlines the topology used in the integration. In this diagram, the SecureAuth Identity Provider (IdP) server and SecureAuth IdP RADIUS server are located on the same computer.

Test Topology diagram of the SecureAuth IdP Server and SecureAuth IdP Radius Server

This diagram shows the workflow for two-factor authentication through integration with SecureAuth:

Diagram of the workflow for two-factor authentication with SecureAuth

  1. The SSL VPN client initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to the SecureAuth Identity Provider (IdP) RADIUS server.
  3. The SecureAuth IdP RADIUS server connects to the SecureAuth IdP server.
  4. The SecureAuth IdP server forwards the authentication request to the Active Directory (AD) server where the user information is stored.
  5. The SecureAuth IdP RADIUS server completes primary authentication.
  6. The SecureAuth IdP RADIUS server requests secondary authentication from the SecureAuth IdP server.
  7. The SecureAuth IdP server requests secondary authentication information (mail address) from the AD server. The AD server sends a response.
  8. SecureAuth Cloud Services are conducted through the SecureAuth IdP server. (SecureAuth IdP server calls the SMTP server to send OTP mail.)
  9. The SecureAuth IdP server receives the secondary authentication result.
  10. The SecureAuth IdP server sends the secondary authentication result to the SecureAuth IdP RADIUS server.
  11. The SecureAuth IdP RADIUS server returns the secondary authentication result to the WatchGuard Firebox.
  12. The Firebox grants the user access.

Platform and Software

The hardware and software used to complete the integration outlined in this document include:

  • WatchGuard Firebox with Fireware v12.4.1
  • SecureAuth IdP v9.3
  • SecureAuth RADIUS Server v2.5.1
  • Active Directory (AD) server with Windows Server 2016

Configure SecureAuth IdP Server

The high-level steps to configure the Secure IdP server include:

  • Configure email settings
  • Configure the LDAP connection
  • Configure the default workflow
  • Enable API authentication

To configure email settings:

  1. Log in to the SecureAuth admin console.
  2. In the upper-right corner, click Go to Classic Experience.

    3. Screenshot of the SecureAuth admin console dialog box

  3. Select Admin Realm.
  4. From the Realm Navigation section, select the SecureAuth998 check box.

    5. Screenshot of the SecureAuth admin console dialog box, Overview tab

  5. Select the Overview tab.
  6. In the Advanced Settings section, click Email Settings.

    7. Screenshot of the SecureAuth admin console dialog box

  7. In the SMTP section, in the Server Address text box, type the SMTP server address.
  8. In the Port text box, type 25.
  9. In the Username and Password text boxes, type the user name (email) and password.
    The system sends a one-time passcode to the email address specified here.
  10. In the Email section, in the Sender Address text box, type the email address that is used to send the one-time passcode.

    11. Screenshot of the SecureAuth Email Settings dialog box

  11. Click Save.

To configure the LDAP connection:

  1. Select the Data tab.
    The Membership Connection Settings page appears.

    2. Screenshot of the Membership Connection Settings dialog box

  2. In the Datastore Type section, from the Type drop-down list, select Active Directory (sAMAccountName).
  3. In the Datastore Connection section, in the Domain text box, type the domain name.
    For example, type ecotest.com.
  4. In the Connection String text box, type the LDAP IP address, followed by the domain name.
    For example, type LDAP://10.0.1.173/DC=ecotest,DC=com for the ecotest.com domain.
  5. In the Datastore Credentials section, in the Service Account text box, type a name for the account.
    For example, type test.
  6. In the adjacent @ text box, type the domain name.
    For example, type ecotest.com.
  7. In the Password text box, type a password for the service account.
    To configure the AD server information that you specified in steps 1–6, see Configure the AD Server.
  8. To confirm the connection to the AD server, click Test Connection.
    If the test is successful, a Connection Successful message appears.

    9. Screenshot of the SecureAuth Connection Successful dialog box

  9. In the Profile Fields section, in the Email 1 text box, make sure the value entered is mail.
  10. Select the Writable check box.

    11. Screenshot of the SecureAuth Profile fields dialog box

  11. Click Save.

To configure the default workflow and multi-factor authentication:

  1. Select the Workflow tab.
  2. In the Workflow section, from the Default Workflow drop-down list, select Username & Password | Second Factor.

    3. Screenshot of the SecureAuth Workflow dialog box

  3. Click Save.
  4. Select the Multi-Factor Methods tab.
  5. In the Email Settings section, from the Email Field 1 drop-down list, select One-Time Passcode via HTML Email.

    6. Screenshot of the SecureAuth Email Settings dialog box

  6. Select Disabled for all other email settings.
  1. Click Save.

To enable API authentication:

  1. Select the API tab.
  2. In the API Key section, select the Enable API for this realm check box.
  3. To create the Application ID and Application Key, click Generate Credentials.
  4. Copy or note these values for reference.
    The keys are used to configure the SecureAuth RADIUS server.

    5. Screenshot of the SecureAuth Generate Credentials, API Permissions dialog box

  5. In the API Permissions section, select the Enable Authentication API and User Self-service Password Change check boxes.
  1. Click Save.

Configure SecureAuth RADIUS Server

To download and configure the SecureAuth RADIUS server:

  1. Download the SecureAuth RADIUS server from https://www.secureauth.com/Support/Downloads/Support-Tools.aspx.
  2. Log in to the SecureAuth RADIUS server Web UI at http://localhost:8088/configuration.
  3. Select the Settings tab.
  4. In the RADIUS Server Settings section, in the Shared Secret text box, type a password.
    For example, type 11111111.

    5. Screenshot of the SecureAuth RADIUS Server Settings dialog box, Settings tab

  5. Click Save.

To configure the IdP Realm:

  1. Select the ldP Realms tab.
  2. Click .
  3. In the Primary ldP Host text box, type localhost.
    If the two servers are not on the same computer, type the SecureAuth IdP server IP address.
  4. In the ldP Realm text box, type SecureAuth998.
  5. In the API Application ID and API Application Key text boxes, type the application ID and key generated in the previous procedure.

    6. Screenshot of the SecureAuth RADIUS Server Settings, Edit IdP Realms dialog box

  6. Click Save Changes.
    The IdP Realm shows as enabled.

    7. Screenshot of the SecureAuth RADIUS Server Settings dialog box, IdP Realms tab

To configure the RADIUS client and authentication workflow:

  1. Select the RADIUS Clients tab.
  2. Click Add Client or edit the existing client details.
  3. In the Client Name text box, type a name.
    In this example, the Client Name is client.
  4. In the IP Address text box, type the IP address of the WatchGuard Firebox connected to the RADIUS server.
  5. From the IdP Realm drop-down list, select https://localhost/SecureAuth998.
  6. From the Authentication Workflow drop-down list, select Username | Second Factor.

    7. Screenshot of the SecureAuth RADIUS Clients, Add RADIUS Client dialog box

  7. Click Save Changes.
    The RADIUS client shows as enabled.

    8. Screenshot of the SecureAuth RADIUS Clients, Add RADIUS Client dialog box

Configure the AD Server

  1. Create an AD server.
    In this example, the domain name is ecotest.com.

    2. Screen shot of the Configure AD Server list

  2. Add a new user.

    3. Screen shot of User name as Test

  3. Click Next.
  4. Double-click the new user.
    The Properties dialog box appears.
  5. Select the General tab.
  6. In the E-mail text box, type the email address where the one-time passcode is received.

    7. Screen shot of the Test Properties dialog box, General tab, Email text box

  7. Click OK.

Configure RADIUS Authentication Server on the Firebox

  1. Log in to Fireware Web UI.
  2. Select Authentication > Servers.
  3. In the Authentication Servers list, select RADIUS.
  4. Select the Enable RADIUS Server check box.

    5. Screen shot of the Servers, RADIUS Primary Server Settings dialog box

  5. In the IP Address text box, type the IP address of the SecureAuth RADIUS server.
  6. In the Port text box, type 1812.
  7. In the Shared Secret and Confirm Secret text boxes, type the passcode.
    For example, type 11111111.
  8. In the Timeout text box, type 60 or higher.
  9. Click Save.

Configure a User Group on the Firebox

You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups to match those defined on your RADIUS server.

  1. Log in to Fireware Web UI.
  2. Select Authentication > Users and Groups.
  3. Click Add.
  4. In the Add User or Group dialog box, select the User option.

    5. Screen shot of the Add User or Group dialog box

  5. In the Name text box, type a user name.
  6. From the Authentication Server drop-down list, select RADIUS.
  1. Click OK.

    2. Screen shot of Users and Groups dialog box

  2. Click Save.

Configure Mobile VPN with SSL on the Firebox

  1. Log in to Fireware Web UI.
  2. Select VPN > Mobile VPN.
  3. In the SSL section, click Manually Configure.
  4. Select the Activate Mobile VPN with SSL check box.
  5. In the Firebox IP Addresses or Domain Names section, in the Primary text box, type the IP address or domain name to which mobile clients connect.

    6. Screen shot of Mobile VPN with SSL dialog box

  6. Select the Authentication tab.
  7. In the Authentication Server section, from the drop-down list, select RADIUS.
  8. Click Add.
  9. Select the RADIUS server and click Move Up to set RADIUS as the default server.

    10. WatchGuard recommends that you select the Auto reconnect after a connection is lost and Force users to authenticate after a connection is lost check boxes in the Settings section.

    Screen shot of the Mobile VPN with SSL dialog box, Authentication tab

  10. In the Users and Groups section, click Add.
    The Add User or Group dialog box appears.
  11. Select the User option.

    12. Screen shot of the Add User or Group dialog box

  12. In the Name text box, type a name.
  13. From the Authentication Server drop-down list, select RADIUS.
  1. Click Save.

    2. Screen shot of the Mobile VPN with SSL dialog box, Authentication tab

When you activate Mobile VPN with SSL, an SSLVPN-Users user group and a WatchGuard SSL VPN policy are automatically created and added to your configuration to allow SSL VPN connections from the Internet to the external interface. You can use these groups or create new groups that match the user group names defined on your authentication server.

Mobile VPN with SSL Client Software Download

To download the Mobile VPN with SSL client:

  1. Log in to Fireware Web UI.
  2. Select VPN > Mobile VPN.
  3. In the SSL section, click Download Client.

    4. Mobile VPN with SSL Client Software Download

Mobile VPN with SSL Client Authentication

After you install and configure the Mobile VPN with SSL client on your computer, you can use two-factor email authentication to connect to your Firebox.

To connect to the Firebox with the Mobile VPN with SSL client:

  1. Run the Mobile VPN with SSL client.
  2. In the Server text box, type the IP address of the Firebox.
  3. In the User name text box, type the user name.
  4. In the Password text box, type the password.

    5. Screen shot of the WatchGuard Firebox SSL dialog box

  5. Click Connect.
    The one-time passcode (OTP) dialog box appears. You also receive an email message with the required OTP .
  6. Type the OTP in the text box.

    7. Screen shot of WatchGuard Mobile VPN with SSL One-Time Password dialog box

  7. Click OK.