VASCO IDENTIKEY Authentication Server® is an off-the-shelf centralized authentication server that supports the deployment, use, and administration of DIGIPASS strong user authentication.
This document describes how to integrate VASCO IDENTIKEY Authentication Server with a WatchGuard Firebox. You can use the combination of these two products to set up a more secure remote connection between the outside world and your company’s internal network.
Platform and Software
The hardware and software used to complete the steps outlined in this document include:
- Firebox or WatchGuard XTM device installed with Fireware v11.10.x
- VASCO IDENTIKEY Authentication Server version 3.9 installed on Windows Server 2012 R2.
VASCO IDENTIKEY Server supports integration into an existing environment with a RADIUS Server, Active Directory Server or LDAP Server. In this document, we use a RADIUS Server as an example. To demonstrate user authentication in this document, we use the WatchGuard Mobile VPN with SSL client.
To set up the VASCO IDENTIKEY Authentication Server, refer to the instructions in the VASCO IDENTIKEY Authentication Server Installation Guide. In this document, we describe how to configure the IDENTIKEY Authentication Server and Firebox to work together.
The figure below demonstrates the workflow described in this document.
- The user initiates an authentication request to the Firebox. The user password is the static password plus the One-Time Password (OTP) shown on DIGIPASS.
- The Firebox sends the authentication request to the IDENTIKEY Authentication Server.
- The IDENTIKEY Authentication Server checks the password combination; if it is correct, it sends a response to the Firebox.
- The Firebox grants access to the user.
IDENTIKEY Authentication Server Configuration
Create a New Policy
In the Authentication Server > Policies menu you define the authentication behavior.
- Select Policies > Create.
- In the Policy ID text box, type a meaningful name for the policy.
- Click Create to create the new policy.
- Click Edit to edit the policy settings.
- From the Local Authentication drop-down list, select Digipass/Password.
- Click Save.
Define the Firebox as a Client
In the Clients configuration you specify the location from which IDENTIKEY Authentication Server will accept requests and the protocol it uses. To do this, you must add the Firebox as a RADIUS client.
- Select Clients > Register.
- To set the Client Type, click Select from list and select RADIUS Client.
- In the Location text box, type the IP address of the Firebox.
- From the Policy IP drop-down list, select the policy that you created in the Policies configuration.
- From the Protocol ID drop-down list, select RADIUS.
- In the Shared Secret and Confirm Shared Secret text boxes, type the shared secret.
This shared secret must match the password you configure in the RADIUS server settings on the Firebox.
- In the Character Encoding text box, type the encoding used if required, or keep it blank.
- Click Create to finish and create the RADIUS client.
Add Users to the IDENTIKEY Authentication Server
For a user to use IDENTIKEY for authentication, the user must be added on the IDENTIKEY Authentication Server.
- Select Users > Create.
- In the User ID text box, type a user name to add.
- In the Enter static password and Confirm static password text boxes, type the static password for this user.
The user can use the static password to authenticate if there is no DIGIPASS assigned to the user. If a DIGIPASS is assigned to the user, the user’s password is a combination of the static password and the One-Time Password generated on the assigned DIGIPASS.
Assign a DIGIPASS to Users
The purpose an IDENTIKEY Authentication Server is to enable users to log in with a One-Time Password (OTP). The DIGIPASS is a device that generates OTPs for the user.
To enable a user to use an OTP as part of the password, you must assign a DIGIPASS to the user.
- Click a user name to edit the user.
- Select the Assigned DIGIPASS tab.
- Click Assign.
- Select the DIGIPASS that was imported before from the DPX file given by VASCO.
The selected DIGIPASS is assigned to the user.
This configuration procedure uses Fireware Web UI. You can also use Policy Manager to complete these steps.
Configure the RADIUS Server on your Firebox
To authenticate with IDENTIKEY Authentication Server, you must enable the RADIUS server and configure the settings on the Firebox.
- Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
- Select Authentication > Servers > RADIUS.
- Select the Enable RADIUS Server check box.
- In the IP Address text box, type the IP address of the IDENTIKEY Authentication Server.
- In the Port text box, type the port used in IDENTIKEY Authentication Server for RADIUS authentication. The default port is 1812.
- In the Passphrase and Confirm text boxes, type the shared secret you configured for the RADIUS client on the IDENTIKEY Authentication Server.
- Click Save.
On the Firebox, add a new user to log in to the RADIUS server.
- Select Authentication > Users and Groups.
- Click Add.
- For Type, select User.
- In the Name text box, type the same user name you created on the IDENTIKEY Authentication Server.
- From the Authentication Server drop-down list, select RADIUS.
- Click OK.
The user is added to the Users and Groups list on the Firebox.
- Click Save.
Configure RADIUS Authentication for Mobile VPN with SSL
To use RADIUS authentication for user connections with the Mobile VPN with SSL client, enable Mobile VPN with SSL and configure it to use RADIUS for authentication.
- Select VPN > Mobile VPN with SSL.
- Select the Activate Mobile VPN with SSL check box.
- In the Primary text box, type the IP address that the Mobile VPN with SSL clients will connect to.
This is an IP address of the Firebox.
- Select the Authentication tab.
- Select the check box next to RADIUS (Default) to use the RADIUS authentication server.
Test the Integration
To test the integration, we use Mobile VPN with SSL to test user authentication.
Mobile VPN with SSL client software download from Firebox
- In a web browser, go to the SSL VPN web portal. The IP address is: https://<IP of Firebox>:4100/sslvpn.html.
- In the Username text box, type the user name of a user defined on the IDENTIKEY Authentication Server.
- In the Password text box, type the static password for the user and the OTP shown on the screen of the DIGIPASS assigned to the user (do not add a space in between the password and the OTP). For example, if the static password is “password” and the OTP at the time is “123456”, the user must type password123456.
- If necessary, from the Domain drop-down list, select RADIUS.
- Click Login.
After successful authentication, the download page appears.
- Download and install the VPN client for your operating system.
Mobile VPN with SSL Client Authentication
After the user downloads and installs the VPN client, they use the same user name and password combination as described above for the WatchGuard Mobile VPN with SSL client.
- Launch the Mobile VPN with SSL client.
- In the Server text box, type the Firebox IP address configured in the Mobile VPN settings on the Firebox.
- In the User name text box, type the user name configured on the IDENTIKEY Authentication server.
- In the Password text box, type the password. Remember to append the OTP shown on the screen of the DIGIPASS to the end of static password. Do not add a space between the static password and the OTP.
- Click Connect.
The Mobile VPN with SSL client shows the status Connected.