Swivel Secure AuthControl Sentry Integration Guide

Deployment Overview

The Swivel Secure AuthControl Sentry® is RADIUS compatible and can be used as a RADIUS server. This document describes the steps necessary to integrate the WatchGuard Mobile VPN with the SSL client software download process and Mobile VPN with SSL client authentication with Swivel Security’s AuthControl Sentry two-factor authentication solution.

Swivel Secure AuthControl Sentry supports several user authentication methods. This integration uses email.

Two-factor authentication workflow diagram

This diagram shows the workflow for two-factor authentication through integration with Swivel AuthControl Sentry:

  1. A user initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to AuthControl Sentry.
  3. AuthControl Sentry checks the password. If it is correct, it responds with a RADIUS challenge (one-time code) to the Firebox.
  4. The user is prompted with a second dialogue box.
  5. If the user types a correct passphrase and AuthControl Sentry is set to Dual Challenge On Demand, AuthControl Sentry sends a dual channel security string message as a one-time code to the user in a specified format (SMS text message, Turing image, mobile phone client application, or email).
  6. The user submits their one-time code in the second dialogue box and sends a second authentication request to the Firebox.
  7. AuthControl Sentry authenticates the user based on the password submitted in the first authentication request and the one-time code submitted in the second authentication request.
  8. The Firebox receives the authentication results from AuthControl Sentry.
  9. The Firebox grants the user access.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.8.1
  • Swivel Secure AuthControl Sentry
    • Version 4.1.3.6468

Test topology

Test topology diagram

Configure Swivel Secure AuthControl Sentry

Configure RADIUS Settings

To configure RADIUS settings:

  1. Log in to Swivel Secure AuthControl Sentry web UI at https://X.X.X.X:8080/sentry.
  2. From the left navigation bar, select RADIUS > Server.

Screen shot of RADIUS Server settings page

  1. From the Server enabled drop-down list, select Yes.
  2. For the other options, do not change the default settings.
  3. From the left navigation bar, select RADIUS > NAS.
  4. Click New Entry.

Screen shot of RADIUS NAS settings page

  1. In the Name text box, type a name.
  2. In the NAS Identifier text box, type the NAS name.
  3. In the Hostname/IP text box, type the trusted or optional interface IP address of the Firebox.
  4. In the Secret text box, type the shared secret to use for communication between the Firebox and RADIUS NAS.
  5. From the Vendor (Groups) drop-down list, select WatchGuard.
  6. From the Two Stage Auth drop-down list, select Yes.
  7. For the other options, do not change the default settings.
  8. Click Apply.

Configure Dual Channel Settings

To configure Dual Channel settings:

  1. From the left navigation bar, select Server > Dual Channel.

Screen shot of the Dual Channel settings page

  1. From the On-demand authentication drop-down list, select Yes.
  2. For the other options, do not change the default settings.
  3. Click Apply

Configure SMTP

To configure SMTP:

  1. From the left navigation bar, select Messaging > General.

Screen shot of the Messaging General page

  1. Expand the SMTP settings.
  2. From the Destination attribute drop-down list, select email.
  3. From the Strings Repository Group drop-down list, select SwivelSMTP.
  4. From the Alert repository group drop-down list, select SwivelSMTP.
  5. For the other options, do not change the default settings.
  6. Click Apply.
  7. From the left navigation bar, select Messaging > SMTP.

Screen shot of the Messaging SMTP settings page

  1. In the From email address: text box, type the email address used to deliver the email message.
  2. For the other options, do not change the default settings.
  3. Click Apply.
  4. From the left navigation bar, select Server > SMTP.
    The SMTP Server settings page opens.

Screen shot of the Messaging SMTP settings page

  1. In the Hostname/IP text box, type the FQDN or the IP address of the SMTP server.
    This is the SMTP server that delivers email messages with a one-time authentication code.
  2. From the Authentication enabled drop-down list, select Yes.
  3. In the Username text box, type the user name of the SMTP server.
  4. In the Password text box, type the password of the SMTP server.
  5. For the other options, do not change the default settings.
  6. Click Apply

Add a User

To add a user:

  1. From the left navigation bar, select User Administration.
  2. Click Add User.
    The user settings page opens.

Screen shot of the User Administration Add User page

  1. In the Username text box, type a name for the authentication user.
  2. In the Email address text box, type the email address for user authentication. This email address receives an email with the one-time code when the user authenticates.
  3. In the PIN text box, type a PIN number for this user.
  4. In the Password text box, type a password for this user.
  5. In the Server groups panel, select SwivelSMTP.
  6. In the Server groups panel, select SwivelSMS.
  7. Click Apply.
    Dual authentication is enabled.

Screen shot of the User Administration page

For Swivel to send an email message with a one-time code, you must enable Dual authentication. To enable Dual authentication, you must select SwivelSMTP and a second authentication method, in this case, SwivelSMS.

Configure the WatchGuard Firebox

Configure the RADIUS Server

To configure the RADIUS Server:

  1. Log in to Fireware Web UI.
  2. Select Authentication > Servers > RADIUS.
  3. Click Add.

Screen shot of the Add RADIUS server settings page

  1. In the Domain Name text box, type the domain name. In our example, we use Swivel.
  2. In the Primary Server Settings section, select Enable RADIUS Server.
  3. In the IP Address text box, type the IP address of the RADIUS server. In this guide, we use the IP address of the Swivel Secure AuthControl Sentry.
  4. In the Shared Secret and Confirm Secret text boxes, type the shared secret used by the RADIUS client (Firebox) and the Swivel Secure AuthControl Sentry.
  5. In the Timeout text box, type 30.
  6. For the other options, do not change the default settings.
  7. Click Save.

Configure SSL VPN

To configure SSL VPN:

  1. Select VPN > Mobile VPN.
  2. In the SSL section, click Configure.

Screen shot of the Mobile VPN with SSL Configure page

  1. Select the Activate Mobile VPN with SSL check box.
  2. In the Primary text box, type the IP address of the Firebox external interface.
  3. Select the Authentication tab.
  4. To make Swivel the default authentication server, select Swivel. Click Move Up.
  5. In the Users and Groups section, from the Create New drop-down list, select Swivel and User.
  6. Click Add.
    The Add User or Group dialogue box opens.

Screen shot of the Add User or Group dialog box

  1. In the Name text box, type the user name.
  2. In the Description text box, type the description.
  3. From the Authentication Server drop-down list, select Swivel.
  4. Click Save.
    A new user appears in the User and Groups list.

Screen shot of the Mobile VPN with SSL Configure Authentication tab

  1. Click Save.

Download the SSL VPN Client

To download the SSL VPN client:

  1. Select VPN > Mobile VPN.
    The Mobile VPN page opens.

Screen shot of the Mobile VPN page

  1. To downland the Mobile VPN with SSL VPN client, in the SSL section, click Download Client.

Mobile VPN with SSL Client Authentication

After downloading and installing the Mobile VPN with SSL client on the computer, use the same authentication process to connect to the Firebox with the SSL VPN client.

To connect to the Firebox:

  1. Launch the Mobile VPN with SSL client.

Screenshot of the SSL VPN client login dialog box

  1. In the Server text box, type the FQDN or IP address of the Firebox external interface.
  2. In the User name text box, type the user name.
  3. In the Password text box, type the password.
  4. Click Connect.
    An email is sent that contains the One-Time code.
  5. When prompted, enter the One-Time Code from the email.

Test intergation