Configure MFA for a Firebox

You can add AuthPoint as an authentication server to Fireboxes that run Fireware v12.7 or higher. This makes it easier to configure AuthPoint MFA for:

  • Mobile VPN with SSL
  • Mobile VPN with IKEv2
  • Firebox Web UI
  • Firebox Authentication Portal

To enable AuthPoint as an authentication server on a Firebox, you must add a Firebox resource in AuthPoint. After you configure a Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled.

When you configure a Firebox resource to add MFA to a Firebox, AuthPoint receives the IP address of the end user, so network location policy objects apply when a user authenticates with a VPN client.

You do not have to add a Firebox resource to your Gateway configuration, even if the Firebox resource has MS-CHAPv2 enabled. In this scenario, the Firebox validates the user password with NPS and AuthPoint authenticates the user with MFA.

Before You Begin

Before you add AuthPoint as an authentication server on your Firebox, make sure that you have registered and connected the device to WatchGuard Cloud as a locally-managed Firebox. AuthPoint integration is not supported for cloud-managed Fireboxes.

For detailed instructions to register and connect your Firebox to WatchGuard Cloud, see Add a Locally-Managed Firebox to WatchGuard Cloud.

Authentication Workflow

When you configure AuthPoint as an authentication server for Mobile VPN with SSL, Mobile VPN with IKEv2, the Firebox Authentication Portal, or Fireware Web UI users:

  1. The Firebox forwards user authentication requests directly to AuthPoint.
  2. AuthPoint coordinates multi-factor authentication (MFA):
    • Local users —AuthPoint validates the first factor (password) and the second factor (push or one-time password)
    • LDAP users — AuthPoint tells the Firebox to contact Active Directory to validate the first factor (password). AuthPoint validates the second factor (push or one-time password).
  3. The Firebox prompts the user to select an authentication option:
    • If the user selects the push option, AuthPoint sends a push request to the user’s phone.
    • If the user selects the one-time password option, the Firebox prompts the user to specify a one-time password (OTP).

The authentication workflow depends on the Fireware feature:

Convert Configurations from Fireware 12.6.x or Lower

This section only applies to configurations that use a manually created AuthPoint RADIUS authentication server. If you have already configured AuthPoint MFA for your Firebox with a RADIUS client resource and a RADIUS server on the Firebox, follow the steps in this section to convert your configuration to use the AuthPoint authentication server.

Configurations created before Fireware v12.7 that use a RADIUS authentication server for the AuthPoint Gateway will continue to work after you upgrade to Fireware v12.7.

If you have an existing authentication server called AuthPoint, that authentication server will be automatically renamed to AuthPoint.1 when you:

  • Upgrade your Firebox to Fireware v12.7.
  • Use WSM or Policy Manager v12.7 or higher to manage a Firebox that runs Fireware 12.6.x or lower.

If your existing AuthPoint authentication server is renamed and it is not the default authentication server, users must type the new authentication server name (AuthPoint.1) when they log in and use that authentication server.

To convert your configuration to use the AuthPoint authentication server:

  1. Upgrade your Firebox to Fireware v12.7 or higher.
  2. In AuthPoint:
    1. Add a Firebox resource for your Firebox.
    2. Configure an authentication policy for the new Firebox resource or add the Firebox resource to one of your existing authentication policies.
  3. In Fireware:
    • To configure AuthPoint MFA for a VPN, add AuthPoint as the primary authentication server for Mobile VPN with SSL or Mobile VPN with IKEv2 configuration.
    • To configure AuthPoint MFA for the Firebox Authentication Portal, specify AuthPoint as the authentication server for users and groups.
  4. Test MFA with the new configuration.
  5. Delete your previous configuration:
    1. In AuthPoint, delete the existing RADIUS client resource and remove the RADIUS client resource from your Gateway.
    2. In Fireware, delete the RADIUS server you configured for the AuthPoint Gateway.

Configure a Firebox Resource

To add a Firebox resource:

  1. From the navigation menu, select Resources.
    The Resources page opens.

  1. From the Choose a Resource Type drop-down list, select Firebox. Click Add Resource.
    The Firebox resource page opens.

Screenshot of the Firebox resource page.

  1. In the Name text box, type a descriptive name for the resource.
  2. From the Firebox drop-down list, select the Firebox or FireCluster that you want to connect to AuthPoint. This list only shows locally-managed Fireboxes and FireClusters that you have added to WatchGuard Cloud.

Screenshot of the Firebox resource page.

  1. To configure the Firebox resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle.
    Additional text boxes appear.

    You do not have to enable MS-CHAPv2 if the IKEv2 VPN client is only used by local AuthPoint users.

Screenshot of the Firebox resource page.

  1. In the NPS RADIUS Server Trusted IP or FQDN text box, type the IP address or fully qualified domain name (FQDN) of the NPS RADIUS server.
  2. In the Port text box, type the port that NPS uses for communication. The default port is 1812.
  3. In the Timeout In Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.
  4. In the Shared Secret text box, type the shared secret key that NPS and the Firebox will use to communicate.

Screenshot of the Firebox resource page.

  1. Click Save.

After you add the Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled. To add MFA, you must configure the Firebox to use the AuthPoint authentication server.

  • Mobile VPN with SSL — In Fireware, configure AuthPoint as the primary authentication server for your Mobile VPN with SSL configuration. For detailed steps, see Firebox Mobile VPN with SSL Integration with AuthPoint.

    If you add the AuthPoint authentication server to your Mobile VPN with SSL configuration, users must download and use the WatchGuard Mobile VPN with SSL client v12.7 or higher or the OpenVPN SSL client.

  • Mobile VPN with IKEv2— In Fireware, configure AuthPoint as the primary authentication server for your Mobile VPN with IKEv2 configuration. For detailed steps, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint.
  • Firebox Authentication Portal — In Fireware, specify AuthPoint as the authentication server for users and groups. For detailed steps, see Firebox Authentication Portal Integration with AuthPoint.
  • Fireware Web UI — In Fireware, go to System > Users and Roles and add Device Management users with AuthPoint as the authentication server. For more information, see Manage Users and Roles on Your Firebox

See Also

About AuthPoint Authentication Policies

Firebox Mobile VPN with IKEv2 Integration with AuthPoint

Firebox Mobile VPN with SSL Integration with AuthPoint

Manage Users and Roles on Your Firebox