When you configure the Firebox as an authentication server, the Firebox stores user accounts that you create to give users access to your network.
Firebox authentication is often used by organizations that do not have a third-party authentication server and do not need to manage user accounts centrally for multiple applications. Firebox authentication works with policies, all VPN types, management access, and all other Firebox features that authenticate users.
How User Authentication Works
User authentication is a process that finds whether a user is who they claim to be, and verifies the privileges assigned to that user. On your Firebox, a user account has two parts: a user name and a passphrase. Each authenticated user is associated with an IP address. This combination of user name, passphrase, and IP address helps the device administrator to monitor connections through the device. With authentication, users can log in to the network from any computer, but get access to only the network ports and protocols for which they are authorized. The Firebox can then map the connections that start from a specific IP address and also transmit the session name while the user is authenticated.
Use Authentication with Firewall Policies and Users/Groups
You can create firewall polices to give users and groups access to specified network resources. This is useful in network environments where different users share a single computer or IP address.
To prepare your Firebox as an authentication server:
- Divide your company into groups based on the tasks people do and information they need
- Create users for the groups
- Assign groups and users to policies
About Authentication Servers
You can use the Firebox as a local authentication server, or you can use your existing Active Directory, LDAP authentication server, or a RADIUS authentication server. If your Firebox runs Fireware v12.7 or higher, you can also enable and use the AuthPoint authentication server to require multi-factor authentication (MFA) when users authenticate.
When you use Firebox authentication over port 4100, account privileges can be based on user name. When you use third-party authentication, account privileges for users that authenticate to the third-party authentication servers are based on the security group membership of the user.
Fireboxes that run Fireware v12.7 or higher include an AuthPoint authentication server. If you use AuthPoint, you can enable and use the AuthPoint authentication server to require multi-factor authentication (MFA) when users authenticate.
This makes it easier to configure AuthPoint MFA for:
- Mobile VPN with SSL
- Mobile VPN with IKEv2
- Firebox Web UI
- Firebox Authentication Portal
By default, the AuthPoint authentication server on the Firebox is disabled. To enable the AuthPoint authentication server on your Firebox, you must add your Firebox as a Firebox resource in AuthPoint. For detailed steps to add a Firebox resource in AuthPoint, see Configure MFA for a Firebox.
To enable the AuthPoint authentication server on your Firebox, you must register and connect your Firebox to WatchGuard Cloud as a locally-managed Firebox. For detailed instructions to register and connect your Firebox to WatchGuard Cloud, see Add a Locally-Managed Firebox to WatchGuard Cloud.
After you add the Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled. To add MFA, you must configure the Firebox to use the AuthPoint authentication server.
- Mobile VPN with SSL — In Fireware, configure AuthPoint as the primary authentication server for your Mobile VPN with SSL configuration
If you add the AuthPoint authentication server to your Mobile VPN with SSL configuration, users must download and use the WatchGuard Mobile VPN with SSL client v12.7 or higher or the OpenVPN SSL client.
- Mobile VPN with IKEv2— In Fireware, configure AuthPoint as the primary authentication server for your Mobile VPN with IKEv2 configuration
- Firebox Authentication Portal — In Fireware, specify AuthPoint as the authentication server for users and groups.
- Fireware Web UI — In Fireware, go to System > Users and Roles and add Device Management users with AuthPoint as the authentication server
If you have an existing authentication server called AuthPoint, that authentication server will be automatically renamed to AuthPoint.1 when you:
- Upgrade your Firebox to Fireware v12.7.
- Use WSM or Policy Manager v12.7 or higher to manage a Firebox that runs Fireware 12.6.x or lower.
If your existing AuthPoint RADIUS authentication server is renamed and it is not the default authentication server, users must type the new authentication server name (AuthPoint.1) when they log in and use that authentication server.
How Authenticated Users are Tracked
The WatchGuard user authentication feature allows a user name to be associated with a specific IP address to help you authenticate and track user connections through the device. With the device, the fundamental question that is asked and answered with each connection is, Should I allow traffic from source X to go to destination Y? For the WatchGuard authentication feature to work correctly, the IP address of the user's computer must not change while the user is authenticated to the device.
Authentication, Accounting, and Access control (AAA) is supported by your Firebox, based on a stable association between an IP address and a user. In most environments, the relationship between an IP address and the user computer is stable enough to use for authentication. For environments in which the association between the user and an IP address is not consistent, such as kiosks or networks where applications run from a terminal server, we recommend that you use the Terminal Services Agent for secure authentication. For more information, see Install and Configure the Terminal Services Agent.
About Single Sign-On (SSO)
The WatchGuard user authentication feature also supports authentication to an Active Directory domain with Single Sign-On (SSO), as well as other common authentication servers. In addition, it supports inactivity settings and session time limits. These controls restrict the amount of time an IP address is allowed to pass traffic through the device before users must supply their passwords again (re-authenticate).
If you control SSO access with an allow list and manage inactivity timeouts, session timeouts, and who is allowed to authenticate, you can improve your control of authentication, accounting, and access control. To make sure a user cannot authenticate, you must disable the account for that user on the authentication server.
Authentication and IPv6 Support
If you have configured your device with an IPv6 address, you can use the IPv6 address for Firebox authentication over port 4100. You can also use your device to make IPv6 connections to clients with IPv6 addresses when you use a third-party authentication server with an IPv4 address, such as a RADIUS server.
To troubleshoot user authentication, we recommend that you create a test policy. Next, try to authenticate to the Firebox as a user who is a member of the group specified in the test policy.