SecureW2 and Wi-Fi Cloud Integration Guide

Deployment Overview

This guide demonstrates how to integrate a WatchGuard Wi-Fi Cloud Captive Portal with SecureW2 authentication for users to authenticate, and receive certificates, for WPA2 Enterprise EAP-TLS Wi-Fi access, and an HTTPS proxy certificate deployed for HTTPS content inspection on a WatchGuard Firebox. WPA2 Enterprise EAP-TLS wireless communication is secured by a certificate pair that requires no password, and the client certificate is unique to the client.

Integration Summary

These tools are used to secure wireless communication and HTTPS Proxy traffic:

  • SecureW2:
    • SecureW2 JoinNow MultiOS Management Portal
  • WatchGuard:
    • WatchGuard AP420
    • WatchGuard Wi-Fi Cloud Account
    • WatchGuard Firebox
  • Microsoft Server 2016
    • Active Directory
    • Certificate Services

Test Topology

SecureW2 JoinNow MultiOS Management Portal interacts with the WatchGuard AP420 through policies to push certificates to end users.



Diagram of network flow for AP and SecureW2 authentication


SecureW2 Network Profile, Redirect URL, and RADIUS

Use the Device Onboarding section in the SecureW2 console to acquire the RADIUS information and portal redirect URL.

  1. Open the SecureW2 JoinNow MultiOS Management Portal and select Device Onboarding > Getting started.
  2. In the Quickstart Network Profile Generator section, from the Profile Type drop-down list, select Wireless.
  3. From the Profile Type drop-down list, select Wireless.
  4. In the SSID text box, type the SSID for the network to be secured by TLS.
  5. From the Security Type drop-down list, select WPA2-Enterprise.
  6. From the EAP Method drop-down list, select EAP-TLS.
  7. From the Policy drop-down list, select Default.
  8. Click Create. The Network Profiles page appears.
  9. In the Functions column, click View, and copy the URL. This is the Redirect Portal URL for deployment in WatchGuard Wi-Fi Cloud.

Screen shot of the SecureW2 Network Profile page

  1. Return to the SecureW2 JoinNow MultiOS Management Portal and select AAA Management > AAA configuration.
  2. Note the RADIUS Port, Primary and Secondary IP Address, and the Shared Secret.

Screen shot of the SecureW2 Add RADIUS Profile settings

WatchGuard Wi-Fi Cloud Basic Configuration

For detailed information on WatchGuard Wi-Fi Cloud AP deployment, see the Getting Started Guide.

These instructions use Manage for the Wi-Fi Cloud configuration. You can now also perform these configuration steps with the Discover application. For more information, see About Discover.

Configure WatchGuard Wi-Fi Cloud with the SecureW2 RADIUS Information for EAP-TLS

  1. Log in to your WatchGuard account.
  2. Select My WatchGuard > Managed Wi-Fi Cloud > Manage.
  3. Select Configuration > Device Configuration > RADIUS Profiles.
  4. On the RADIUS Profiles tab, click Add RADIUS Profile.
  5. In the Profile Name text box, type a friendly description for the profile.
  6. In the IP Address text box, type the Primary IP address of the RADIUS server from SecureW2. This IP address requires outbound access in your firewall rules. This is open in the default outgoing policy.
  7. In the Authentication Port text box, type the port number listed for the RADIUS server from SecureW2. This port requires outbound access in your firewall rules. This is open in the default outgoing policy.
  8. Leave the Accounting Port, in the default setting.
  9. In the Shared secret text box, type the shared secret from the SecureW2 RADIUS server.
  10. Click Save.

Screen shot of the SecureW2 Add RADIUS Profile page

  1. Repeat these steps for the second SecureW2 RADIUS server.

Configure WatchGuard Wi-Fi Cloud with the SSID Profile for EAP-TLS

  1. In WatchGuard Wi-Fi Cloud, open Manage.
  2. Select Configuration > Device Configuration > SSID Profiles.
  3. Select Add New Wi-Fi Profile.
  1. Type the Profile Name and SSID name for secure EAP-TLS client connections.
  2. Expand the Security section, from the Security Mode drop-down list select WPA2 and select 802.1X.
  3. From the RADIUS Authentication drop-down list, select the two configured RADIUS servers.

Screen shot of WatchGuard Wi-Fi Cloud EAP-TLS SSID page

  1. Expand the Network section and set the VLAN ID to 30. You will use this VLAN ID in your firewall configuration.

Screen shot of WatchGuard Wi-Fi Cloud EPA-TLS VLAN assignment

  1. Click Save.

Configure WatchGuard Wi-Fi Cloud with the SSID Profile for Splash Page Redirection

  1. In WatchGuard Wi-Fi Cloud, open Manage.
  2. Select Configuration > Device Configuration > SSID Profiles.
  3. Select Add New Wi-Fi Profile.
  4. Type the Profile Name and SSID name for client connections.
  5. Expand the Security section and verify the Security Mode is set to Open.
  6. Expand the Network section and set the VLAN ID to 20. This VLAN ID is used in your firewall configuration.
  7. Expand the Captive Portal section and select Enable Captive Portal.
  8. Select External Splash Page for Sign-in/Click-through.
  9. In the Splash Page URL text box, type the View URL from the SecureW2 configuration.

Screen shot of the Wi-Fi Cloud Captive Portal settings

  1. To configure the Walled Garden Sites, click Add and add these four SecureW2 URLs:
    • cloud.securew2.com
    • service.securew2.com
    • pki-services.securew2.com
    • auth.securew2.com
  1. Click OK when finished.

Screen shot of the Wi-Fi Cloud Portal exceptions

  1. Add other Walled Garden Sites as required by your operating systems to provide access to their respective App Store or prevent certificate issues.
Operating System   Walled Garden Sites
Mac

*.akamaiedge.net

*.akamaitechnologies.com

*.apple.com

*.apple.com.edgekey.net

apple.com

captive.apple.com

gsp1.apple.com

airport.us

appleiphonecell.com

ibook.info

itools.info

thinkdifferent.us

apple.com/library/test/success.html
Windows

urs.microsoft.com

urs.smartscreen.microsoft.com

 
Android

*.play.google.com

*.store.google.com

android.clients.google.com

lh3.googleusercontent.com

lh6.ggpht.com

lh5.ggpht.com

lh4.ggpht.com

lh6.googleusercontent.com

lh3.ggpht.com

googleapis.com

google-analytics.com

cache.google.com

172.217.0.0/16

216.58.192.0/19

74.125.0.0/16
Kindle

54.224.0.0/12

72.21.192.0/19

176.32.96.0 - 176.32.103.255

207.171.160.0/19
  1. Expand Captive Portal, and on the right, in the Redirect URLtext field, type the URL to which to send users after they access the portal.

Screen shot of the Wi-Fi Cloud Captive Portal Redirect URL settings

  1. Click Save.

Configure the WatchGuard Firebox for SecureW2 Access to Active Directory

SecureW2 connects to Active Directory at the public IP address 52.41.166.6. This connection uses port 636 for secure access. Active Directory and Certificate Services are required on Windows Server 2016.

  1. Log in to your WatchGuard Firebox.
  2. From Fireware Web UI, select Firewall > SNAT > Add.
  3. Type a Name and Description for the SNAT.
  4. Under SNAT Members, click Add.
  5. From the External/Optional IP Address drop-down list, select Any-External, External, or an IP address that is public facing.
  6. Set the Internal IP Address to the private address of the Active Directory server.
  7. Click OK and Save.

Screen shot of the Firewall SNAT Add Member dialog box

  1. Select Firewall > Firewall Policies > Add Policy.
  2. Select Custom. Click Add.

Screen shot of the Firewall Add Firewall Policy dialog box

  1. Type a Name, Description, and add TCP port 636.

Screen shot of the Add Policy Template dialog box

  1. Click Save.
  2. You are redirected to the Select a policy type page with your new custom policy selected in the drop-down list. Click Add Policy to continue with the policy creation.
  3. In the From field, remove Any-Trusted. Click Add.
  4. From the Member type drop-down list, select Host IPv4.
  5. Type the SecureW2 public IP address of 52.41.166.6. Click OK.
  6. In the To field, remove Any-External. Click Add.
  7. From the Member type drop-down list, select Static NAT.
  8. Select the SNAT you created in an earlier step. Click OK.

Screen shot of the Active Directory policy configuration page

  1. Confirm the configuration. Click Save.

Configure the WatchGuard Firebox with the Access Point VLANs

  1. Log in to your WatchGuard Firebox.
  2. From Fireware Web UI, select Network > Interfaces.
  3. Select the interface, click Edit.
  4. Type an Interface Name (Alias) and Interface Description.
  5. From the Interface Type drop-down list, select VLAN.

Screen shot of the WatchGuard Firewall VLAN interface assignment

  1. Click Save.
  2. Select Network > VLAN.
  3. Click Add.
  4. Type a Name, Description, VLAN ID of 10, Security Zone, and an IP Address for the interface.

Screen shot of WatchGuard Firewall AP Management VLAN page

  1. Select the desired VLAN interface and from the Select Traffic drop-down list, select Untagged Traffic.

This configuration employs a direct connection to the firewall for the access point. Untagged VLAN management for the access point can also be deployed on a switch.

  1. Click Save.
  2. Select Network > VLAN.
  3. Click Add.
  4. Use VLAN ID 20 and type the configuration for the On-Boarding VLAN.
  5. Set the VLAN tagging to Tagged Traffic.

Screen shot of WatchGuard firewall tagged VLAN settings

  1. Click Save.
  2. Repeat the procedure for tagged traffic on a EAP-TLS VLAN.
  3. The final VLAN configuration should appear as shown here:

Screen shot of WatchGuard Firewall VLANs configuration

Configure the WatchGuard Firebox Policies for Access Point VLANs

  1. Log in to your WatchGuard Firebox.
  2. From Fireware Web UI, select Firewall > Firewall Policies.
  3. Click Add Policy.
  4. Select Packet Filter and from the drop-down, select the Any.

Screen shot of the WatchGuard Firewall Add Policy page

  1. Click Add Policy.
  2. In the From field, remove the Any-Trusted alias.
  3. In the From field, click Add.

Screen shot of the WatchGuard policy add member page

  1. Select the AP Management VLAN. Click OK.
  2. Repeat the steps to add the On-Boarding VLAN.
  3. Change the Name of the policy. Click Save.
  4. Select Firewall > Firewall Policies. Click Add Policy.
  5. Select Proxies. From the drop-down list select HTTPS-Proxy.
  6. From the -- Select a Proxy action -- drop-down list, select HTTPS-Client Standard.

Screen shot of WatchGuard Firewall HTTPS Proxy page

  1. Click Add Policy.
  2. Type a new Name for the HTTPS-Proxy policy.
  3. In the From field, remove the Any-Trusted alias.
  4. In the From field, click Add.
  5. In the Add Member page, from the Member type drop-down list, select Alias.
  6. From the list, select the interface alias. Click OK.

Screen shot of the WatchGuard firewall Add Alias Member page

  1. Select the Proxy Action tab.

Screen shot of the WatchGuard Firewall HTTPS policy proxy action tab

  1. From the Proxy Action drop-down list, select Clone the current proxy action.
  2. In the Content Inspection Summary, click Edit.
  3. Select the option for Enable Content Inspection.

Screen shot of the WatchGaurd Firewall Content Inspection Settings

  1. Click OK.
  1. Click Save to save the policy.

Retrieve the HTTPS-Proxy Certificate from the WatchGuard Firebox

For more detailed information about content inspection for the HTTPS Proxy, see HTTPS-Proxy: Content Inspection.

  1. Log in to your WatchGuard Firebox.
  2. From Fireware Web UI, select System > Certificates.
  3. Highlight the Proxy Authority certificate from the list. Click Export.

Screen shot of Fireware Certificates page

  1. Browse to the location where you want save the certificate. Click Save.

Retrieve the Certificate for Active Directory Communication

  1. From Windows 2016 Server, open the Certificate Authority application. Or, right-click Start > Run. Type certsrv.msc in the dialog box. Click OK.
  2. Right-click the domain in the Certificate Authority (Local) section and select Properties.

Screen shot of Microsoft Server 2016 Certificate Authority

  1. Click View Certificate.
  2. Select the Details tab.
  3. Click Copy to File...

Screen shot of Certiifcate Authority copy certificate page

  1. The Certificate Export Wizard appears. Click Next.

Screen shot of Certificate Export Wizard

  1. Select DER encoded binary X.509 (.CER). Click Next.

Screen shot of Certificate Export Wizard

  1. Provide a File name, browse to a location, and click Save.
  2. Click Next.

Screen shot of Certificate Export Wizard

  1. Click Finish.

Screen shot of Certificate Export Wizard

Create a Wi-Fi Authentication Group in Active Directory

A Security Group is created in the Active Directory to attach the user to — SecureW2 Authentication Policies, User Role Policies, and Enrollment Policies.

  1. From Windows Server 2016, open Server Manager.
  2. Select Tools > Active Directory Users and Computers.
  3. Right-click the domain and select New > Group.
  4. In the Group nametext box, type the name of the security group associated with users.
  5. In the Group name (pre-Windows 2000)text box, type the same name if it is not already pre-populated.
  6. In the Group scopesection, select Global .
  7. In the Group type section, select Security.

Screen shot of the Active Directory new group creation

  1. Click OK.
  2. Double-click the name of the new security group created.
  3. Select the Members tab.
  4. Click Add.
  5. Type the full name of each user. Select Check Names to verify and click OK to submit.

Screen shot of the Active Directory user adding to a security group

  1. Click OK.

Configure SecureW2 for Active Directory Queries

Communication to Active Directory is encrypted with the certificate retrieved from the server on port 636 through the restrictive policy created on the WatchGuard Firebox.

  1. From the SecureW2 Management Portal, select Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. Type a Name and Description.
  4. From the Type drop-down list, select LDAP.
  5. Click Save.

Screen shot of SecureW2 portal Management Portal Identity Management

  1. In the Subject Name Attribute text box:
    • sAMAccountName is used if you deploy a simple user name login.
    • userPrincipalName is used for the format [email protected].
  2. In the Group Map Attribute text box, type memberOf

Screen shot of the SecureW2 Identity Provider all tabs

  1. Select the Connections tab.
  2. Click Add Connection.
  3. Type the connection information for your Active Directory connection.
  4. In the Name text box, type the name of the IDP connection.
  5. In the Descriptiontext box, describe the IDP connection.
  6. In the Hostname text box type the hostname that resilves to a public IP Address. This must match the configured name of the server and the issuer listed in the certificate.
  7. In the Port text box, set to port number to 389, if the connection is unsecured. If the connection is secured with the certificate, set the port number to 636. Select the use TLS/SSL check box to change the value to 636.
  8. To add a Certificate, click Choose File and upload the self-signed certificate you obtained for use in LDAP communication over SSL.  
  9. Select Anonymous/Admin to specify whether the connection type is anonymous or Administrator. For the anonymous connection, no information is retrieved from Active Directory while testing the connection.
  10. Or select Admin DN. This parameter is enabled only if you have selected the connection type as admin. Use the distinguished name format. For example: CN=Administrator, CN=users, DC=example, DC=com.
  11. In the Admin Password text box, type the password of the administrator. This is enabled only if you have select the Admin connection type.
  12. To retrieve and select a Subject Base DN from the Active Directory, click Naming Context.
  13. To retrieve and select a Group Base DN from the Active Directory, click Naming Context.
  14. Set the Server Timeout in seconds for the Active Directory query to timeout.

Screen shot for the SecureW2 Create IDP Connection to Active Directory

  1. To confirm the Active Directory settings, click Test Connection.

Screen shot of the SecureW2 Active Directory connection test complete

  1. Click OK. Click Update to return to the Identity Provider settings.

Configure the SecureW2 Network Profile for the HTTPS Proxy Decryption Certificate

  1. From the SecureW2 JoinNow MultiOS Management Portal, select Device Onboarding > Network Profiles.
  2. Click Edit for the new profile. The existing certificate is for encryption of wireless client traffic through EAP-TLS.

Screen shot of the SecureW2 Network Profile Edit for certificates

  1. Click Add/Remove Certificate.

Screen shot for SecureW2 certificate addition

  1. Click Choose File and browse to the location of the HTTPS Proxy Certificate.
  2. Select the certificate file. Click Open.
  3. Clear any check marks present in the Install column.
  4. Click Upload. Click OK to confirm.
  5. Click Cancel. Re-open the Add/Remove Certificate page.
  6. Leave the Install check mark selected on the EAP-TLS certificate and find the uploaded HTTPS Proxy Certificate.
  7. Select the check mark for Installfor the private HTTPS Proxy Certificate.
  8. Click Update. The Certificates section should now contain both the ESP-TLS Certificate and the HTTPS Proxy Certificate.
  9. Return to the Device Onboarding > Network Profiles page.
  10. In the configured Network Profile, click Publish/Re-publish.
  1. Repeat the Publish/Re-publish action for the new Network Profile Group.

Configure the SecureW2 Authentication Policy

The SecureW2 Authentication Policy defines the protocols that the JoinNow MultiOS uses to communicate with the devices and assigns the Identity Provider.

  1. From the SecureW2 JoinNow MultiOS Management Portal, select Policy Management > Authentication.
  2. Click Edit on the auto-created Authentication Policy.
  3. Select the Settings tab.
  4. From the Identity Provider drop-down list, select the Identity Provider you created.
  5. Click Update.

Configure the SecureW2 User Role Policy

  1. From the SecureW2 JoinNow MultiOS Management Portal select Policy Management > User Roles.
  2. Click Edit on the Default Role Policy.
  3. Select the Conditions tab.
  4. From the Identity Provider drop-down list, select the configured provider.

Screen shot of the SecureW2 User Role Policy

  1. Click Update.

Configure the SecureW2 Enrollment Policy

  1. From the SecureW2 JoinNow MultiOS Management Portal, select Policy Management > Enrollment.
  2. Select Edit on the Default Enrollment Policy.
  3. On the Conditions tab, from the User Role and Device Role drop-down list, select the default policies.

Screen shot of the SecureW2 Enrollment Policy

  1. Click Update.

Test a Wireless Client

  1. Connect to the On-Boarding Wi-Fi SSID.
  2. The client will be redirected to the JoinNow configured view URL.

Screen shot of the SecureW2 JoinNow redirect URL

  1. Click JoinNow.
  2. From the download dialog box, click Run.

Screen shot of SecureW2 client download run

  1. Type the Username and Password. Click Next.

Screen shot of the SecureW2 software client

The user is automatically redirected to the EAP-TLS wireless connection.