Contents

Swivel Secure AuthControl Sentry Integration Guide

Integration Overview

The Swivel Secure AuthControl Sentry is RADIUS compatible and can be used as a RADIUS server.This document describes the steps necessary to integrate the WatchGuard Mobile VPN with SSL client software download process and Mobile VPN with SSL client authentication with the Swivel Security’s AuthControl Sentry two-factor authentication solution.

Swivel Secure AuthControl Sentry supports several user authentication methods. This integration uses email.

Two-factor authentication workflow diagram

This diagram shows the workflow for two-factor authentication through integration with Swivel AuthControl Sentry:

  1. A user initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to AuthControl Sentry.
  3. AuthControl Sentry checks the password. If it is correct, it responds with a RADIUS challenge (one-time code) to the Firebox.
  4. The user is prompted with a second dialog box.
  5. If the user types a correct passphrase and AuthControl Sentry is set to Dual Challenge On Demand, AuthControl Sentry sends a dual channel security string message as a one-time code to the user in a specified format (SMS text message, Turing image, mobile phone client application, or email).
  6. The user submits their one-time code in the second dialog box and sends a second authentication request to the Firebox.
  7. AuthControl Sentry authenticates the user based on the password submitted in the first authentication request and the one-time code submitted in the second authentication request.
  8. The Firebox receives the authentication results from AuthControl Sentry.
  9. The Firebox grants the user access.

Test topology

Test topology diagram

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox M400 installed with Fireware v12.2.1
  • Swivel Secure AuthControl Sentry v4.0.4.5093

Configuration

To complete this integration, you must have:

  • Swivel Secure AuthControl Sentry
  • WatchGuard Firebox

Configure Swivel Secure AuthControl Sentry

  1. Log into Swivel Secure AuthControl Sentry web UI at https://X.X.X.X:8080/sentry
  2. From the left side bar, select RADIUS > Server.

Screen shot of the configured RADIUS Server settings

  1. From the Server enabled drop-down list, select Yes.
  2. From left side bar, select RADIUS > NAS.
  3. Click New Entry.

Screen shot of the configured NAS settings

  1. In the Identifier text box, type a name for the NAS.
  2. In the Hostname/IP text box, type the trusted interface IP address of your Firebox.
  3. In the Secret text box, type the shared secret to use for communication between the Firebox and RADIUS NAS.
  4. From the Vendor (Groups) drop-down list, select Watchguard.
  5. From the Two Stage Auth drop-down list, select Yes.
  6. Click Apply.
  7. From left side bar, select Server > Dual Channel.

Screen shot of the configured Dual Channel settings

  1. From the On-demand authentication drop-down list, select Yes.
  2. Click Apply
  3. From left side bar, select Messaging > General.

Screen shot of the configured Messaging > General settings

  1. Expand the SMTP settings.
  2. From the Destination attribute drop-down list, select email.
  3. From the Strings Repository Group drop-down list, select SwivelSMTP.
  4. From the Alert repository group drop-down list, select SwivelSMTP.
  5. Click Apply.
  6. From left side bar, select Messaging > SMTP.

Screen shot of the Messaging > SMTP settings

  1. In the From email address:text box, type the email address which be used for to deliver the email message.
  2. Click Apply.
  3. From left side bar, select Server > SMTP.
    The SMTP Server settings appear.

Screen shot of the Server > SMTP settings

  1. In the Hostname/IPtext box, type address of the SMTP server.
    This SMTP server is the server that receives email with the one-time authentication code.
  2. From the Authentication enabled drop-down list, select Yes.
  3. In the Usernametext box, type the username of the SMTP server.
  4. In Password text box, type password of the SMTP server.
  5. Click Apply
  6. From left side bar, select User Administration.
  7. Click Add user.
    The user settings appear.

Screen shot of the user settings

  1. In the Username text box, type a name for the authentication user.
  2. In the Email address text box, type the email address for user authentication. This email address is the one that receives email with the one-time code when the user authenticates.
  3. In the PIN text box, type a PIN number for this user.
  4. In the Password text box, type a password for this user.
  5. Under Server groups, select SwivelSMTP.
  6. Under Server groups, select SwivelSMS.
  1. Click Apply.
    Dual authentication is enabled.

Screen shot of Dual authentication enabled

You might wonder why it is necessary to select SwivelSMS here. For Swivel to send an email message with a one-time code, you must enable Dual authentication. To enable dual authentication, you must select SwivelSMTP and a second authentication method, in this case SwivelSMS.

Configure a RADIUS Authentication Server on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From left side bar, select Authentication > Servers > RADIUS.
    The RADIUS server settings appear.

  Screen shot of the RADIUS server settings

  1. Select the Enable RADIUS Server check box.
  2. In the IP Address text box, type the IP address of the Swivel Secure AuthControl Sentry.
  3. In the Port text box, specify port 1812.
  4. In the Passphrase and Confirm text boxes, type the passphrase.
  5. Keep other settings at the default values.
  6. Click Save.

Configure a User Group on the Firebox

Note: When Mobile VPN with SSL is activated, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created and added to your configuration to allow SSL VPN connections from the Internet to the external interface. It is possible to use the default SSLVPN-Users group or create new groups or users that match the user group names defined on the authentication server.

To add a new user for RADIUS authentication:

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From left side bar, select Authentication> Users and Groups.
  3. Click Add .
    The Add User or Group page appears.

Screen shot of the Add User or Group page

  1. In the Add User or Group page, select User
  2. Type a user Name and Description.
  3. From Authentication Server drop-down list, select RADIUS.
  1. Click OK.
    The user is added to the Users and Groups page.

  Screen shot of the Users and Groups page with the user added

  1. Click Save.

Configure Mobile VPN with SSL on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select VPN > Mobile VPN with SSL.
  3. If Mobile VPN with SSL is not already enabled, select the Activate Mobile VPN with SSL check box.

  Screen shot of the Mobile VPN with SSL General tab

  1. In the Primary text box, type the IP address or domain name to which the mobile clients will connect.
  2. Configure the network settings and add the IP address pool, if required.
  3. Select the Authentication tab.
  4. From the drop-down list of servers below the Authentication Server list, select the RADIUS server.
  5. Click Add.
    The RADIUS server is added to the Authentication Server list.

Screen shot of the Mobile VPN with SSL Authentication Server settings

  1. If the RADIUS server is not at the top of the Authentication Server list, select it, and click Move Up.
  1. In the Define users and groups to authenticate with Mobile VPN with SSL section, click Add.
    The Add User or Group dialog box appears.

Screen shot of the Add User or Group dialog box

  1. In Add User or Group dialog box select User.
  2. In the Name text box, type the user name.
  3. From Authentication Server drop-down list, select RADIUS.
  4. Click OK.
    The user is added to the Authentication page.

  Screen of the Mobile VPN with SSL Authentication tab with the user added

We recommend that you enable the option Force users to authenticate after a connection is lost but it is not required.

  1. Click Save.

Mobile VPN with SSL Client Software Download

  1. From the web browser of a client computer, open the Mobile VPN with SSL client software download page on the WatchGuard Firebox. The URL for this page follows this pattern:
    https://<device interface IP address>/sslvpn.html
    The initial authentication page looks like this:

  Screen shot of the authentication page on the Firebox

  1. Specify your Username, Password, and the RADIUS server.
  2. Click Login.
    You receive an email that contains a one-time code. The email includes content similar to this:
    Sentry One Time Code Message
    3105
  3. When prompted, enter the One-Time Code.

Screen shot of the One-Time Code prompt

  1. Click Apply.
    After successful authentication, the user sees items available to download.

  Screen shot of the Items available to download page

From this page you can download the Mobile VPN with SSL client software that matches your computer operating system.

Mobile VPN with SSL Client Authentication

After you download and install the Mobile VPN with SSL client on your computer, you can use the same authentication process to connect to the Firebox with the SSL VPN client.

The authentication screen for the Mobile VPN with SSL client looks like this:

  1. Launch the Mobile VPN with SSL client.

Screen shot of the Mobile VPN with SSL authentication dialog box

  1. Specify the Server, User name, and Password.
  2. Click Connect.
    An email is sent that contains the One-Time code.
  3. When prompted, enter the One-Time Code from the email.

Screen shot of the One-Time Code prompt

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search