Contents

SecureAuth Integration Guide

This document describes the steps to integrate SecureAuth with client authentication and software downloads for the WatchGuard Mobile VPN with SSL client.

SecureAuth offers a variety of two-factor authentication methods:

  • Time-based passcodes
  • Push-to-accept
  • Email one-time passcodes (OTP)
  • SMS OTP
  • Knowledge-based authentication (KBA/KBQ)

This document explains how to use the email OTP authentication method. For information about other two-factor authentication methods, see the SecureAuth Guide.

This diagram shows the workflow for two-factor authentication through integration with SecureAuth:

Diagram of the workflow for two-factor authentication with SecureAuth

  1. The user initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to the SecureAuth Identity Provider (IdP) RADIUS server.
  3. The SecureAuth IdP RADIUS server connects to the SecureAuth IdP server. The SecureAuth IdP server forwards the authentication request to the Active Directory (AD) server where the user information is stored.
  4. The SecureAuth IdP RADIUS server completes primary authentication.
  5. The SecureAuth IdP RADIUS server requests secondary authentication from the SecureAuth IdP server.
  6. The SecureAuth IdP server requests secondary authentication information (mail address) from the AD server.
  7. The AD server sends a response.
  8. Secondary authentication is conducted through the SecureAuth IdP server (SecureAuth IdP server calls the SMTP server to send OTP mail).
  9. The SecureAuth IdP server receives the secondary authentication result.
  10. The SecureAuth IdP server sends the secondary authentication result to the SecureAuth IdP RADIUS server.
  11. The SecureAuth IdP RADIUS server sends the secondary authentication result to the WatchGuard Firebox.
  12. The Firebox grants the user access.

Test Topology

This diagram outlines the topology used in this integration. In our example, the SecureAuth IdP server and SecureAuth IdP RADIUS server are located on the same computer.

Test Topology diagram of the SecureAuth IdP Server and SecureAuth IdP Radius Server

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox T10 with Fireware v11.11.4
  • SecureAuth IdP version 9.0.1
  • SecureAuth RADIUS Server version 2.1
  • Active Directory (AD) server with Window Server 2012

Configure SecureAuth IdP Server

To configure SecureAuth IdP Server:

  1. Log in to the SecureAuth admin console at https://localhost/secureAuth0/localAdmin.aspx.

Screenshot of the SecureAuth admin console dialog box

  1. Select Admin Realm.
  2. From the navigation menu, select SecureAuth998.

Screenshot of the SecureAuth admin console dialog box, Overview tab

  1. Click Overview.
  2. Select Advanced Settings > Email Settings.

Screenshot of the SecureAuth admin console dialog box

  1. In the Server Address text box, type the SMTP server address.
  2. In the Port text box, type 25.
  3. In the Sender Address text box, type the email address where you want the one-time passcode sent.
  4. In the Username and Password text boxes, type the user name (email) and password.

Screenshot of the SecureAuth Email Settings dialog box

  1. Select Data.
    The Membership Connection Settings page appears.

Screenshot of the Membership Connection Settings dialog box

  1. In the Datastore Type section, from the Type drop-down list, select Active Directory (sAMAccountName).
  2. In the Domain text box, type wg.com.
  3. In the Connection String text box, type LDAP://10.0.1.16/DC=wg,DC=com.
  4. In the Service Account text box, type test. In the adjacent @ text box, type wg.com.
  5. In the Password text box, type Passw0rd. To configure the AD server information that you specify in steps 9–14, see Configure AD Server.
  6. To confirm the connection to the AD server is successful, click Test Connection.
    If the test is successful, the Connection Successful message appears.

Screenshot of the SecureAuth Group Permissions dialog box

Screenshot of the SecureAuth Connection Successful dialog box

  1. From the Profile Fields section, make sure the Email 1 setting is mail.

Screenshot of the SecureAuth Profile fields dialog box

  1. Select Workflow.

Screenshot of the SecureAuth Workflow tab

  1. From the Default Workflow drop-down list, select Username & Password | Second Factor.

Screenshot of the SecureAuth Workflow dialog box

  1. Select Multi-Factor Methods.

Screenshot of the SecureAuth Multi-Factor Methods tab

  1. From the Email Field 1 drop-down list, select Enabled (TEXT).
  2. Select Disabled for all other settings.

Screenshot of the SecureAuth Email Settings dialog box

  1. Select API.

Screenshot of the SecureAuth Generate Credentials, API Key tab

  1. Select the Enable API for this realm check box.
  2. Click Generate Credentials to create the Application ID and Application Key. Copy or note these values. They are used to configure the SecureAuth RADIUS server.

Screenshot of the SecureAuth Generate Credentials, API Key dialog box

  1. Select the Enable Authentication API and User Self-service Password Change check boxes.

Screenshot of the SecureAuth Generate Credentials, API Permissions dialog box

Configure SecureAuth RADIUS Server

  1. Download the SecureAuth RADIUS server from https://www.secureauth.com/Support/Downloads/Support-Tools.aspx.
  2. Log in to SecureAuth RADIUS server Web UI at http://localhost:8088/configuration.
  3. Select Settings.
  4. In the Shared Secret text box, type 11111111.

Screenshot of the SecureAuth RADIUS Server Settings dialog box, Settings tab

  1. Select ldP Realms.
  2. Click .

Screenshot of the SecureAuth RADIUS Server Settings dialog box, IdP Realms tab

  1. In the ldP Host text box, type localhost. If the two servers are not on the same computer, type the SecureAuth IdP server IP address.
  2. In the ldP Realm text box, type SecureAuth998.
  3. In the API Application ID and API Application Key, type the application ID and application key generated in the previous section.

 Screenshot of the SecureAuth RADIUS Server Settings, Edit IdP Realms dialog box

  1. Select RADIUS Clients.
  2. Click Add Client.

Screenshot of the SecureAuth RADIUS Server dialog box, RADIUS Clients tab

  1. In the Client Name text box, type a name. In our example, we type client1.
  2. In the Client IP Address text box, type the WatchGuard Firebox IP address connected to the RADIUS server.
  3. From the IdP Realm drop-down list, select https://localhost/SecureAuth998.
  4. From the Authentication Workflow drop-down list, select Username + 2FA Options.

Screenshot of the SecureAuth RADIUS Clients, Add RADIUS Client dialog box

  1. Click Add Client.

Configure AD Server

  1. Configure the AD server with the domain name wg.com.

Screen shot of the Configure AD Server list

  1. Add a new user. In our example, we specify the user name test and the password Passw0rd.

Screen shot of User name as Test

  1. Double-click the test user to open the Properties window.
  2. In the General tab, in the E-mail text box, type the email address.
    This is the email address where the one-time passcode is sent.

Screen shot of the Test Properties dialog box, General tab, Email text box

Configure RADIUS Authentication Server on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From the navigation menu, select Authentication > Servers > RADIUS.
  3. Select the Enable RADIUS Server check box.
  4. In the IP Address text box, type the IP address of the SecureAuth RADIUS server.
  5. In the Port text box, type 1812.
  6. In the Passphrase and Confirm text boxes, type 11111111.
  7. In the Timeout text box, type 60 or a higher number.
  8. Leave the default value for all other settings.
  9. Click Save.

Screen shot of the Servers, RADIUS Primary Server Settings dialog box

Configure a User Group on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From the navigation menu, select Authentication > Users and Groups.

You can use the default SSLVPN-Users group for authentication, or you can add the names of users and groups to match those defined on your RADIUS server.

  1. Click Add.
  2. On the Add User or Group page, select User.
  3. In the Name text box, type test.
  4. (Optional) In the Description text box, type a description. In our example, we type test.
  5. From the Authentication Server drop-down list, select RADIUS.

Screen shot of the Add User or Group dialog box

  1. Click OK.

Screen shot of Users and Groups dialog box

  1. Click Save.

Configure Mobile VPN with SSL on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From the navigation menu, select VPN > Mobile VPN with SSL.
  3. Select Activate Mobile VPN with SSL.
  4. In the Primary text box, type the IP address or domain name that the mobile clients connect to. In our example, we use 10.138.101.10.
  5. Configure the network settings. Add an IP address pool if required.

Screen shot of Mobile VPN with SSL dialog box

  1. Select the Authentication tab.
  2. Select RADIUS (Default) and Firebox-DB. We recommend that you select the Force users to authenticate after a connection is lost check box, but it is not required.

Screen shot of the Mobile VPN with SSL dialog box, Authentication tab

  1. Click Add.
    The Add User or Group page appears.
  2. From the Type list, select User.
  3. In the Name text box, type test.
  4. From the Authentication Server drop-down list, select RADIUS.
  5. Click OK.

Screen shot of the Add User or Group dialog box

  1. Click Save.

Screen shot of the Mobile VPN with SSL dialog box, Authentication tab

  1. Click Save.

When Mobile VPN with SSL is activated, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created and added to your configuration to allow SSL VPN connections from the Internet to the external interface. You can use these groups or create new groups that match the user group names defined on your authentication server.

Mobile VPN with SSL Client Software Download

To download the Mobile VPN with SSL client:

  1. Enable TLS 1.2 in your browser settings

Screen shot of the Internet Options dialog box, Advanced tab

  1. Navigate to https://<device_interface_IP_address>/sslvpn.html.
    The authentication page appears.

Screen shot of WatchGuard authentication log in dialog box

  1. In the Username text box, type test.
  2. In the Password text box, type Passw0rd.
  3. From the Domain drop-down list, select RADIUS.
  4. Click Login.
    The One-time Passcode page appears.
  5. Open the email message that contains the one-time passcode. This email message is sent to the email address that you specified in the Configure AD Server section.

Screen shot of the email message with one-time passcode

  1. Type the one-time passcode (OTP) from the email message.

Screen shot of WatchGuard enter One-Time Passcode dialog box

  1. Click Apply.
    If authentication is successful, the download page appears.

Screen shot of WatchGuard authentication log in dialog box

  1. In the section for your OS, click Download to download the Mobile VPN with SSL client software.

Mobile VPN with SSL Client Authentication

After you install and configure the Mobile VPN with SSL client on your computer, you can use two-factor email authentication to connect to your Firebox with the Mobile VPN client software.

  1. Run the Mobile VPN with SSL client.
  2. In the Server text box, type the IP address of the Firebox.
  3. In the User name text box, type your user name.
  4. In the Password text box, type your password.
  5. Click Connect.
    The One-time Passcode (OTP) page appears, and you receive an email message with the OTP.

Screen shot of the WatchGuard Firebox SSL dialog box

  1. Type your OTP. Click OK.

Screen shot of WatchGuard Mobile VPN with SSL One-Time Password dialog box

  1. To test whether you connected to the Firebox successfully, in your system tray, right-click the WatchGuard Mobile VPN with SSL icon .
  2. Select Status.
    The Status page appears. If the connection is successful, you see IP addresses and a connection duration.

Screen shot of the WatchGuard Mobile VPN with SSL dialog box

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search