Configure RADIUS Server Authentication

RADIUS (Remote Authentication Dial-In User Service) authenticates the local and remote users on a company network. RADIUS is a client/server system that keeps the authentication information for users, remote access servers, VPN gateways, and other resources in one central database.

In Fireware v12.5 or higher:

  • SecurID is part of the RADIUS configuration.
  • You can configure more than one primary RADIUS server.
  • You must manually specify a domain name for new RADIUS servers.
  • To authenticate, users must type the domain name you specified in the RADIUS configuration. Mobile VPN and Access Portal users must type the domain name to authenticate to a server other than the primary server.

If your configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name. To authenticate, users must select RADIUS as the server and type RADIUS as the domain name. If a user types a domain name other than RADIUS, authentication fails. This applies to authentication through the Web UI, WatchGuard System Manager v12.5 or higher (to a Firebox with any Fireware version), Mobile VPN clients, and the Access Portal.

For information about the RADIUS protocol, go to How RADIUS Server Authentication Works.

To configure SecurID authentication, go to Configure SecurID Authentication.

Authentication Key

The authentication messages to and from the RADIUS server use an authentication key. This authentication key, or shared secret, must be the same on the RADIUS client and server. Without this key, there is no communication between the client and server.

RADIUS Authentication Methods

The Firebox uses only these authentication protocols for user authentication with a RADIUS server:

  • Web authentication, Mobile VPN with SSL authentication, and Mobile VPN with IPSec authentication — PAP (Password Authentication Protocol)
  • Mobile VPN with L2TP authentication — MSCHAPv2 (Microsoft Challenge-Handshake Authentication Protocol version 2)
  • Mobile VPN with IKEv2 authentication — EAP-MSCHAPv2
  • Authentication with WPA Enterprise and WPA2 Enterprise authentication methods — EAP (Extensible Authentication Protocol)

RADIUS and Multi-Factor Authentication

You can use RADIUS server authentication with multi-factor authentication (MFA).

If the Firebox does not receive a response to an MFA challenge, the Firebox marks the RADIUS server as dead for the Dead Time duration. The Firebox does not send authentication requests for other users to the RADIUS server during this time. To avoid this issue, we recommend that you change the default Dead Time value in the Firebox RADIUS settings:

  • If you configure only a primary RADIUS server, specify a Dead Time of 10 minutes.
  • If you also configure a backup RADIUS server, specify a Dead Time of 0 minutes.

If a user does not respond to an MFA challenge, the authentication request times out and AuthPoint sends a response to the Firebox.

Before You Begin

Before you configure your Firebox to use a RADIUS authentication server, you must have this information for each RADIUS server:

  • Primary RADIUS server — IP address and RADIUS port
  • Secondary RADIUS server (optional) — IP address and RADIUS port
  • Shared secret — Case-sensitive password that is the same on the Firebox and the RADIUS server
  • Authentication methods — Set your RADIUS server to allow the authentication method your device uses: PAP, MSCHAPv2, WPA Enterprise, WPA2 Enterprise, or WPA/WPA2 Enterprise

Use RADIUS Server Authentication with Your Firebox

To use RADIUS server authentication with your Firebox, you must:

  • Add the IP address of the Firebox to the RADIUS server to configure the Firebox as a RADIUS client.
  • Enable and specify the RADIUS server in the Firebox configuration.
  • In the Firebox RADIUS configuration, specify the server IP address and shared secret.
  • Add RADIUS users or groups in the Firebox configuration.
  • Add RADIUS user names or group names to Firebox policies.

Configure RADIUS

Related Topics

About Third-Party Authentication Servers

Use Users and Groups in Policies

Enterprise Authentication with RADIUS

RADIUS Authentication with Active Directory For Mobile VPN Users

About RADIUS Single Sign-On

Configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory in the WatchGuard Knowledge Base