About Mobile VPN with L2TP User Authentication

When you configure Mobile VPN with L2TP, you select authentication servers, and configure users and groups for authentication. The users and groups you specify must exist on the selected authentication server.

Authentication Methods

Mobile VPN with L2TP supports two authentication methods:

Local authentication on the Firebox (Firebox-DB)

You can use the local authentication server on the Firebox for L2TP user authentication. If you use Firebox-DB for authentication you must use the L2TP-Users group that is created by default when you configure Mobile VPN with L2TP. You can also add other users and groups in the L2TP configuration. The users and groups you add to the L2TP configuration are automatically included in the L2TP-Users group.

In Fireware v12.2.1 or lower, when you add a user or group to the Mobile VPN with L2TP configuration and select Firebox-DB as the authentication server, this does not automatically add the user or group for Firebox authentication. You must also add users and groups in the Firebox authentication settings. For detailed instructions to add users and groups, go to Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.


You can use a RADIUS server for L2TP user authentication. If you use a RADIUS server for authentication, you can use the default L2TP-Users group (if you also add that group on the RADIUS authentication server), or you can add the names of users and groups that exist in the RADIUS authentication server database.

If you want to use an Active Directory database for authentication, you can configure your RADIUS server to use the Active Directory database. Then you can configure the RADIUS server on the Firebox, select RADIUS as the authentication method for Mobile VPN with L2TP, and add the users and groups from your Active Directory database to the Mobile VPN with L2TP configuration.

To configure RADIUS Authentication with Active Directory for your L2TP users, go to Configure RADIUS Authentication with Active Directory for Mobile VPN with L2TP.

Multi-Factor Authentication

Mobile VPN with L2TP supports multi-factor authentication for MFA solutions that support MS-CHAPv2. AuthPoint, the WatchGuard MFA service, supports MS-CHAPv2 RADIUS authentication.

In Fireware v12.5.3 or higher, Mobile VPN with L2TP supports AuthPoint for multi-factor authentication to Active Directory through NPS. You must use AuthPoint push-based authentication; you cannot use AuthPoint OTP.

For more information about AuthPoint, go to About AuthPoint.

Related Topics

Configure RADIUS Server Authentication

Use the WatchGuard L2TP Setup Wizard

Edit the Mobile VPN with L2TP Configuration