AuthPoint Deployment Guide

This help topic shows you how to set up and fully deploy AuthPoint, WatchGuard's multi-factor authentication solution. For a shorter overview of how to get started and test AuthPoint, see Quick Start — Set Up AuthPoint.

AuthPoint is managed from within WatchGuard Cloud. For more information about WatchGuard Cloud, see About WatchGuard Cloud.

In AuthPoint, resources are the applications and services that you want to connect to. External identities connect to LDAP user databases to get user account information and validate passwords.

When you set up AuthPoint, we recommend that you first connect AuthPoint to your firewall and LDAP database. Download and install the AuthPoint Gateway that connects them with AuthPoint, then add a RADIUS client resource for your firewall and an external identity for your LDAP database.

Next, you can add SAML resources for the applications that your users connect to and assign access policies for those resources to your user groups.

When everything is set up and ready to go, sync users from your LDAP database to AuthPoint.

AuthPoint is managed from within WatchGuard Cloud. There are two types of WatchGuard Cloud account—Service Provider and Subscriber—each with a different view of WatchGuard Cloud.

You can tell whether you have a Service Provider account or a Subscriber account based on the appearance of the WatchGuard Cloud UI and the navigation menu.

A Service Provider account has and Account Manager menu and the navigation menu includes an Inventory menu option.

If you see a dashboard similar to this, then you have a Subscriber account.

If you have a Service Provider account, before you can set up AuthPoint you must go to the Inventory page and allocate AuthPoint users to your account. For more information, see Allocate Users to Your Account.

You configure and manage AuthPoint from the Configure Services section of WatchGuard Cloud.

To get to the AuthPoint management UI in WatchGuard Cloud:

  1. Log in to WatchGuard Cloud at http://cloud.watchguard.com/.
    The WatchGuard Cloud Dashboard page is shown.
  2. From the navigation menu, select Configure > AuthPoint. If you have a Service Provider account, you must select an account from Account Manager.
    The AuthPoint Summary page opens.

The AuthPoint Gateway is a lightweight software application that you install on your network to synchronize user account information between your LDAP or Active Directory server and AuthPoint.

The Gateway functions as a RADIUS server and is required for RADIUS authentication and for LDAP synced users to authenticate with SAML resources. You must install the Gateway so that AuthPoint can communicate with your RADIUS clients and LDAP databases.

Before you install the Gateway, you must configure it in the AuthPoint management UI.

  1. From the AuthPoint navigation menu, select Gateway.
  2. Click Add Gateway.

  1. In the Name text box, type a descriptive name for the Gateway.

  1. Click Save.
  2. On the Gateway page, next to your Gateway, click and select Gateway Registration Key.

  1. In the Gateway Registration Key window, copy the registration key. You need this value to install the Gateway.

    The Gateway registration key is a one-time use key. If the installation of the Gateway fails, you must generate a new key to use for the installation.

  1. From the navigation menu, select Downloads.
  2. In the Gateway Installer section, click Download.

  1. Run the downloaded Gateway installer anywhere on your network that has Internet access and that can connect to your RADIUS clients and LDAP server(s).

    WatchGuard AuthPoint Gateway Setup dialog opens.
  2. In the Gateway Registration Key text box, type or paste the Gateway registration key from AuthPoint.
  3. Click Install.

  1. Click Finish.

  1. In the AuthPoint management UI, on the Gateway page, check the circular icon next to your Gateway name. A green icon indicates that the Gateway is successfully installed and can communicate with AuthPoint.

    If the installation of the Gateway fails, you must generate a new registration key to use for the installation. For more information, see Gateway Registration Key.

External identities connect to user databases to get user account information and validate passwords. To sync users from a Lightweight Directory Access Protocol (LDAP) database, you must add an external identity.

From the AuthPoint management UI:

  1. Select External Identities.
  2. From the Choose an External Identity Type drop-down list, select LDAP. Click Add.

  1. In the Name text box, type a descriptive name for the external identity.
  2. In the LDAP Search Base text box, type your LDAP database. In this example, the domain is example.com so we type dc=example,dc=com. Tip!

    For more information about LDAP syntax and how to use a search base to limit the directories on the authentication server where the external identity can search for users, see Find Your Active Directory Search Base.

  1. In the System Account and Passphrase text boxes, type the credentials for a user that has permissions to perform LDAP searches and binds. If this user is not in the default Users folder, select the slider and type the full distinguished name of the user. Tip!

    In this example, we have a user named administrator that is in an OU called AuthPoint (not the default Users folder). So we must select the slider and type the distinguished name of our user as CN=administrator,OU=AuthPoint,DC=example,DC=com.

    If this user is in the Users folder and the user name is different than the account name (sAMAccountName), you must type the account name in the System Account text box.

  1. From the Synchronization Interval drop-down list, specify how often you want to synchronize the LDAP database. If you select Every 24 hours, you must also specify what time the synchronization starts each day.
  2. For Type, select whether this is an Active Directory or a different type of LDAP database. For other databases, you must specify each attribute value. You do not have to do this for Active Directory because the attribute values are known.
  3. In the Domain text box, type your LDAP domain name.
  4. If this not an Active Directory, type a value for each attribute.

    If your Active Directory users use ADFS, you must keep the default sAMAccountName value for the attribute related to user login.

  1. In the Server Address text box, type the IP address of your LDAP server.
  2. In the Server Port text box, type the port for your server.

  1. (Optional) To add a redundant address for your external identity, click Add Redundant Address and type a different address and port for the same LDAP database.
  2. Click Save.

Next you must add your external identity to the configuration for your AuthPoint Gateway. Once you do that, you can test the connection to your LDAP database.

  1. From the navigation menu, select Gateway.
  2. Click the Name of your Gateway.
  3. In the LDAP section, in the Select an LDAP external identity list, select your LDAP or Active Directory server.

  1. Click Save.
  2. From the navigation menu, select External Identities.
  3. Next to the external identity you added for your LDAP database, click and select Check Connection.

AuthPoint is now connected to your LDAP database. You can create a query to sync users, but before you do that we recommend that you add resources for all of the applications and services that you want to require authentication for.

In AuthPoint, resources are the applications that you define for use with AuthPoint. When you add a resource, you provide the information required for AuthPoint to connect to that resource.

When you add and configure a resource in AuthPoint, authentication is required to log in to that resource. For each resource, only users that are in a group with an access policy for that resource can authenticate and log in to the resource.

See AuthPoint Integration Guides for more information about how to set up authentication with specific third-party services and applications.

RADIUS client resources represent a Firebox or other device that sends RADIUS packets to the AuthPoint Gateway. These are commonly used to authenticate users for firewalls and VPNs.

RADIUS client resources must be linked to the AuthPoint Gateway and you must choose a shared secret key so that the RADIUS server (AuthPoint Gateway) and the RADIUS client can communicate.

  1. From the navigation menu, select Resources.
  2. From the Choose a resource type drop-down list, select RADIUS Client. Click Add.
  3. In the Name text box, type a descriptive name for the resource.
  4. In the RADIUS client trusted IP or FQDN text box, type the IP address that your RADIUS client uses to send RADIUS packets to the AuthPoint Gateway. This must be a private IP address. For Fireboxes, this is usually the Trusted IP address of your Firebox.
  5. From the Value sent for RADIUS attribute 11 drop-down list, specify what is sent for the attribute 11 (Filter-ID) value in RADIUS responses. You can choose to send the user's AuthPoint group or the user's Active Directory groups.

    To use this feature, you must install version 5 or higher of the AuthPoint Gateway.

  6. In the Shared Secret text box, type a password that the RADIUS server (AuthPoint Gateway) and the RADIUS client will use to communicate.
  7. To configure the RADIUS client resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle. You might do this if you want to configure AuthPoint MFA for IKEv2.
    Additional fields appear.

    To use this feature, you must install version 5.3.1 or higher of the AuthPoint Gateway.

  8. In the NPS RADIUS Server trusted IP or FQDN text box, type the IP address or FQDN of the NPS RADIUS server.
  9. In the Port text box, type the port number for the Gateway (RADIUS server) to use to communicate with NPS. The default port is 1812.

    If NPS and the Gateway are installed on the same server, the port that the Gateway uses to communicate with NPS must be different than the port that the Gateway uses to communicate with the RADIUS client.

  10. In the Timeout in Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.
  11. Click Save.

Next you must add your RADIUS client resource to the configuration for your AuthPoint Gateway. This is necessary for the RADIUS client to communicate with the RADIUS server (Gateway) and with AuthPoint.

  1. From the navigation menu, select Gateway.
  2. Click the Name of your Gateway.
  3. In the RADIUS section, in the Port text box, type the port number for the RADIUS client to use to communicate with the Gateway (RADIUS server). The default Gateway ports are 1812 and 1645.

    If you already have a RADIUS server installed that uses port 1812 or 1645, you must use a different port for the AuthPoint Gateway.

  1. From the Select a RADIUS resource list, select your RADIUS client resource(s).

  1. Click Save.

Now you have successfully added a RADIUS client resource and connected it with your Gateway. The last step is to configure your RADIUS client for authentication. Refer to the AuthPoint Integration Guides for the steps to configure specific RADIUS client resources.

SAML resources connect AuthPoint with the provider of a third-party service that users connect to (service provider), such as Microsoft or Salesforce. Add SAML resources and define access policies for them to require that users authenticate before they can connect to those services or applications.

Before you add a SAML resource in AuthPoint, you must configure SAML authentication for your third-party service provider. To do this, download the AuthPoint metadata from the Resources page in the AuthPoint management UI and import the metadata file to the service provider.

The AuthPoint metadata provides information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint).

Configure SAML authentication for your third-party service provider:

  1. Select Resources.
  2. Click Download Metadata.

  1. Import the AuthPoint metadata file to the service provider and get the Service Provider Entity ID and Assertion Consumer Service from the service provider. These values are necessary to configure the SAML resource in AuthPoint.

    Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.

Add a SAML resource in the AuthPoint management UI:

  1. Select Resources.
  2. From the Choose a resource type drop-down list, select SAML. Click Add.

  1. From the Application Type drop-down list, select the relevant application or select Others if the application is not listed.
  2. In the Name text box, type a name for the resource. We suggest you use the name of the application.
  3. In the Service Provider Entity ID and Assertion Consumer Service text boxes, type the values from the service provider of the application.
  4. From the User ID drop-down list, select whether users log in with their email or AuthPoint user name.
  5. Some application types require additional information. If applicable, complete any additional fields required for the application.
  6. Click Save.

Do not install the Logon app on computers that run Windows 7 or older or on servers that run Windows 2008 R2 or older.

The Logon app is used to require authentication when users log on to a computer or server. At the logon screen, users must type their password and then choose one of the allowed methods of authentication (push notification, QR code, or one-time password).

There are two parts to the Logon app:

  • The resource you configure in AuthPoint
  • The application you install on a computer or server

To start, you must add a resource for the Logon app.

  1. Select Resources.
  2. From the Choose a resource type drop-down list, select Logon App. Click Add Resource.

  1. On the Logon App page, in the Name text box, type a name for this resource.
  2. In the Support Message text box, type a message to display on the logon screen.
  3. Click Save.

One Logon app resource can be used for every group. You do not need to add additional Logon app resources for each computer that the Logon app is installed on, regardless of the OS. You only need multiple Logon app resources if you have multiple domains.

Now that you have added a Logon app resource, you must install the Logon app on any computers and servers that you want to require authentication for.

  1. Select Downloads.
  2. In the Logon App section, next to your operating system, click Download Installer.
  3. Click Download Config to download the configuration file for the Logon app.

    You can use the same config file for every installation of the Logon app on the same domain, regardless of the OS.

  1. On your computer, move the downloaded configuration file to the same directory as the Logon app installer (.msi file).
  2. Run the Logon app installer and install the Logon app.

For more information, see Configure MFA for a Computer or Server.

The Identity Provider (IdP) portal resource is a portal page that shows users a list of SAML resources available to them. It makes it easier for users to access resources. Users log in to the IdP portal and see each resource they have access to.

When you add an access policy for the IdP portal to a group, the SSO login page redirects users in that group to the portal page.

To set up AuthPoint with an IdP portal:

  1. Select Resources.
  2. From the Choose a Resource Type drop-down list, select Idp Portal. Click Add.
  3. In the Name text box, type a descriptive name for the resource.
  4. From the User ID drop-down list, select whether users type their email or user name to log in on the SSO page.
  5. In the Account Alias text box, type a unique value that will be appended to the URL for your IdP portal.
  6. Click Save.

    One IdP Portal resource can be used with multiple groups. There is no need to add additional IdP resources in AuthPoint.

Once you have added and configured resources in AuthPoint, you must create groups for your users and add access policies for your resources to each group.

In AuthPoint, groups are how you define which resources your users have access to. Access policies are added to AuthPoint groups to specify which resources require MFA for the users in that group and which authentication methods they can use (OTP, Push, and QR code).

Because groups specify how users authenticate, no user can be added to more than one group. This prevents potential conflicts between the access policies of each group.

You must add at least one group before you can add or sync users to AuthPoint.

To add a group to AuthPoint:

  1. Select Groups.
  2. Click Add Group.
  3. In the New Group section, in the Name text box, type a descriptive name for the group.
  4. (Optional) In the Description text box, type a description of the group.
  5. In the Access Policy section, click Add Policy.
    The Add Policy dialog box appears.
  6. From the Resource drop-down list, select a resource that users in that group must authenticate to log in to.
  7. (Optional) To require that users type their password before they authenticate for this resource, select the Require Password Authentication slider.
  8. Select the authentication methods you want to allow for this resource. For RADIUS resources, you can only choose OTP or push. For more information about authentication methods, see About Authentication.
  9. Click Add.
  10. (Optional) Repeat the previous steps to add access policies for additional resources to the group.
  11. Click Save.

Safe locations are a list of public IP addresses that are considered safe. If you try to log in from a computer that uses one of the specified IP addresses (a safe location), you are not required to use MFA. You can log in with only your user name and password.

To configure safe locations, you must create a safe location and then assign it to one or more user groups. You create and edit safe locations on the Add Group or Edit Group pages.

Safe locations only apply to the groups they are assigned to. Users in a group that a safe location is not assigned to must still authenticate when they sign in from the safe location.

To configure a safe location:

  1. On the Groups page, click the Name of the group you want to add a safe location to. You can also click Add Group if you want to create a new group to add a safe location to.

  1. In the Safe Locations section, click Add Safe Location.

  1. In the Name text box, type a name to identify this safe location. This helps you identify the safe location when you add it to other groups.
  2. In the IP Mask text box, type a public IP address or netmask that defines the range of public IP addresses you want to consider as a safe location. You can specify multiple IP addresses and ranges in one safe location.

  1. Click Save.
    The Add Safe Location window closes and the safe location is saved and added to your group.

  1. Click Save.

Each safe location that you create can be assigned to multiple AuthPoint groups. You do not have to create the same safe location for each of your groups.

To add an existing safe location to a group:

  1. Click the Name of the group you want to add a safe location to.
  2. In the Safe Locations section, select a safe location from the list.

To sync users from an LDAP database, you must create a query for the external identity that you added. The queries you add to an external identity specify which users to sync from your Active Directory or LDAP database. They pull user information and create AuthPoint users for the users that are found.

There are two ways to query users:

  • Group Sync — Select the LDAP groups you want to sync users from and AuthPoint creates the query for you
  • Advanced Queries — Create your own LDAP queries to specify which groups or users to sync

In this example, we show the steps to use the group sync feature.

Before you continue, make sure that each user account has a valid email address. If the email address for a user account is not correct, the user cannot receive the email message to set a password and activate a token.

If the selected LDAP groups have more users than you have available licenses for, the sync only creates as many users as your license supports.

LDAP users that do not have a user name or email address are not included in the synchronization.

To sync LDAP groups:

  1. Select External Identities.
  2. Next to your external identity, click and select Group Sync.

  1. On the Group Sync page, click Add New Group to Sync.

  1. In the Add Group Sync window, from the Select LDAP Groups drop-down list, select the LDAP groups you want to sync users from. You can select multiple groups.

  1. From the Select the Group drop-down list, select the AuthPoint group to add the users to.

    For each group sync, all users are added to the same AuthPoint group. To add users to separate AuthPoint groups, you must create a separate group sync for each LDAP group whose users you want in a different AuthPoint group.

  1. Click Save.
    The Add Group Sync window closes.

After you add a query to find your users (manually or with group sync), AuthPoint syncs with your Active Directory or LDAP database at the next synchronization interval and an AuthPoint user account is created for each user identified by the query.

The created user accounts appear on the Users page with a green Activated status icon next to the user name. The Activated status icon indicates that the user has been created and is currently active (not blocked). You can identify users synced from an external identity by the LDAP tag next to their name in the list of users.

Each user is sent an email that they use to activate their token in the AuthPoint mobile app. When a user activates their token, their token information is shown in the Token column with a green Activated status icon next to the token.

Users synced from an external identity use their existing password for authentication. They do not receive the email to set an AuthPoint password.

To start a sync immediately, on the External Identities page, next to the your external identity, click and select Start Synchronization.

You have now added your resources to AuthPoint and defined access policies for those resources, and you have synced your users. Before your users can authenticate with AuthPoint, they must install the AuthPoint app on their mobile devices and activate their WatchGuard token.

A token is something that is used to identify you and associate you with a device, like a digital signature or fingerprint. It is used in addition to, or in place of, a password when you log in to a protected resource.

You activate a token on a device that is used for authentication, such as a mobile phone. This device is then used to gain access to protected resources that require multi-factor authentication.

For more information, see Activate a Software Token.

See Also

Quick Start — Set Up AuthPoint

About AuthPoint

About the AuthPoint Mobile App

Configure MFA

About Authentication

User Management

AuthPoint Integration Guides