Configure MFA for a Firebox

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

You can add AuthPoint as an authentication server to Fireboxes that run Fireware v12.7 or higher. This makes it easier to configure AuthPoint MFA for:

  • Mobile VPN with SSL
  • Mobile VPN with IKEv2
  • Firebox Web UI
  • Firebox Authentication Portal

To enable AuthPoint as an authentication server on a Firebox, you must add a Firebox resource in AuthPoint. After you configure a Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled.

When you configure a Firebox resource to add MFA to a Firebox, AuthPoint receives the IP address of the end user, so network location policy objects apply when a user authenticates with a VPN client.

You do not have to add a Firebox resource to your Gateway configuration, even if the Firebox resource has MS-CHAPv2 enabled. In this scenario, the Firebox validates the user password with NPS and AuthPoint authenticates the user with MFA.

Your Firebox must run Fireware v12.7.1 or higher to authenticate Azure Active Directory users with the AuthPoint authentication server.

Before You Begin

Before you add AuthPoint as an authentication server on your Firebox, make sure that you have registered and connected the device to WatchGuard Cloud. For detailed instructions to register and connect your Firebox to WatchGuard Cloud, refer to Add a Locally-Managed Firebox to WatchGuard Cloud and Add a Cloud-Managed Firebox to WatchGuard Cloud.

If you remove a locally-managed or cloud-managed Firebox from WatchGuard Cloud, the Firebox resource in AuthPoint is no longer associated with the Firebox and you must delete the resource. To continue to use the AuthPoint authentication server on the Firebox, you must add the device to WatchGuard Cloud again and add a new Firebox resource for the device in AuthPoint.

If you want to use AuthPoint MFA with your Firebox, but do not want to add the Firebox to WatchGuard Cloud, you can add the Firebox to AuthPoint as a RADIUS client resource. For more information, see Configure MFA for a RADIUS Client.

Authentication Workflow

When you configure AuthPoint as an authentication server for Mobile VPN with SSL, Mobile VPN with IKEv2, the Firebox Authentication Portal, or Fireware Web UI users:

  1. The Firebox forwards user authentication requests directly to AuthPoint.
  2. AuthPoint coordinates multi-factor authentication (MFA):
    • Local users —AuthPoint validates the first factor (password) and the second factor (push or one-time password)
    • LDAP users — AuthPoint tells the Firebox to contact Active Directory to validate the first factor (password). AuthPoint validates the second factor (push or one-time password).
    • Azure Active Directory users —AuthPoint contacts Azure Active Directory to validate the first factor (password). AuthPoint validates the second factor (push or one-time password).
  3. The Firebox prompts the user to select an authentication option:
    • If the user selects the push option, AuthPoint sends a push request to the user’s phone.
    • If the user selects the one-time password option, the Firebox prompts the user to specify a one-time password (OTP).

The authentication workflow depends on the Fireware feature:

Convert Configurations from Fireware 12.6.x or Lower

This section only applies to configurations that use a manually created AuthPoint RADIUS authentication server. If you have already configured AuthPoint MFA for your Firebox with a RADIUS client resource and a RADIUS server on the Firebox, follow the steps in this section to convert your configuration to use the AuthPoint authentication server.

Configurations created before Fireware v12.7 that use a RADIUS authentication server for the AuthPoint Gateway will continue to work after you upgrade to Fireware v12.7.

If you have an existing authentication server called AuthPoint, that authentication server will be automatically renamed to AuthPoint.1 when you:

  • Upgrade your Firebox to Fireware v12.7.
  • Use WSM or Policy Manager v12.7 or higher to manage a Firebox that runs Fireware 12.6.x or lower.

If your existing AuthPoint authentication server is renamed and it is not the default authentication server, users must type the new authentication server name (AuthPoint.1) when they log in and use that authentication server.

To convert your configuration to use the AuthPoint authentication server:

  1. Upgrade your Firebox to Fireware v12.7 or higher.
  2. In AuthPoint:
    1. Add a Firebox resource for your Firebox.
    2. Configure an authentication policy for the new Firebox resource or add the Firebox resource to one of your existing authentication policies.
  3. In Fireware:
    • To configure AuthPoint MFA for a VPN, add AuthPoint as the primary authentication server for Mobile VPN with SSL or Mobile VPN with IKEv2 configuration.
    • To configure AuthPoint MFA for the Firebox Authentication Portal, specify AuthPoint as the authentication server for users and groups.
  4. Test MFA with the new configuration.
  5. Delete your previous configuration:
    1. In AuthPoint, delete the existing RADIUS client resource and remove the RADIUS client resource from your Gateway.
    2. In Fireware, delete the RADIUS server you configured for the AuthPoint Gateway.

Configure a Firebox Resource

To add a Firebox resource:

  1. From the AuthPoint navigation menu, select Resources.

Screenshot of the Resources page.

  1. Click Add Resource.

    The Add Resource page opens.

Screen shot of the Add Resource page.

  1. From the Type drop-down list, select Firebox.

Screenshot of the Firebox resource page.

  1. In the Name text box, type a descriptive name for the resource.
  2. From the Firebox drop-down list, select the Firebox or FireCluster that you want to connect to AuthPoint. This list only shows Fireboxes and FireClusters that you have added to WatchGuard Cloud, and the device status in WatchGuard Cloud must be Connected.

Screenshot of the Firebox resource page.

  1. To configure the Firebox resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle.
    Additional text boxes appear.

    You do not have to enable MS-CHAPv2 if the IKEv2 VPN client is only used by local AuthPoint users.

Screenshot of the Firebox resource page.

  1. In the NPS RADIUS Server Trusted IP or FQDN text box, type the IP address or fully qualified domain name (FQDN) of the NPS RADIUS server.
  2. In the Port text box, type the port that NPS uses for communication. The default port is 1812.
  3. In the Timeout In Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.
  4. In the Shared Secret text box, type the shared secret key that NPS and the Firebox will use to communicate.

Screenshot of the Firebox resource page.

  1. Click Save.

After you add the Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled. To add MFA, you must configure the Firebox to use the AuthPoint authentication server.

Related Topics

About AuthPoint Authentication Policies

Firebox Mobile VPN with SSL Integration with AuthPoint

Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Active Directory Users

Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users

Firebox Cloud Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users

Manage Users and Roles on Your Firebox