WatchGuard Dimension on-premise system integration with AuthPoint (2023)

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard Dimension on-premises system.

You must deploy and configure your on-premises WatchGuard Dimension system before setting up MFA with AuthPoint. Your WatchGuard Dimension on-premises system can be configured to support MFA in multiple modes. For this integration we set up RADIUS with AuthPoint.

With RADIUS authentication, users can authenticate with a push notification or one-time password (OTP). You choose which authentication method users can use when you configure itAuthentication policyAuthentication policies specify which resources users can authenticate to and which authentication methods they can use (push, QR code, and OTP).in the authentication point. The steps in this integration guide apply to both authentication methods.

This integration has been tested with WatchGuard Dimension's on-premise system v2.2.1.

WatchGuard Dimension on-premise system authentication flow with AuthPoint

AuthPoint communicates with various cloud-based services and service providers using the RADIUS protocol. This diagram shows the data flow of an MFA transaction for an on-premise WatchGuard Dimension system.

WatchGuard Dimension on-premise system integration with AuthPoint (1)

before you start

Before beginning these procedures, ensure the following:

  • A token is assigned to a user in AuthPoint.
  • You have installed and configured AuthPoint Gateway v7.0.1 or later. More information (pAbout gateways).
  • You have deployed the WatchGuard Dimension on-premises system.

Configure the WatchGuard Dimension on-premises system

You must enable and configure RADIUS authentication settings on your local WatchGuard Dimension system.

Configure RADIUS authentication

When configuring the RADIUS authentication server, the timeout value must be greater thanPush TimeoutThe push timeout is the amount of time before a push authentication expires.for AuthPoint (30 seconds).

To configure RADIUS authentication:

  1. Log in to the WatchGuard Dimension on-premise system WebUI (https://<IP address of your on-premise WatchGuard Dimension system>).
  2. ChooseWatchGuard Dimension on-premise system integration with AuthPoint (2)> Access Management.
  3. ChooseConstruction.
    The Authentication tab opens by default.
  4. WatchGuard Dimension on-premise system integration with AuthPoint (3)

  5. To unlock the configuration, clickWatchGuard Dimension on-premise system integration with AuthPoint (4).

WatchGuard Dimension on-premise system integration with AuthPoint (5)

  1. ChooseEnable RADIUS authenticationcheck box.
  2. ImIP address / hostnameText box, clickAdd toto add a RADIUS server.
  3. WatchGuard Dimension on-premise system integration with AuthPoint (6)

  4. ImIP address or hostnameIn the text box, enter the IP address of the RADIUS (AuthPoint Gateway) server.
  5. ImharborText box, leave the default port setting of1812. This is the default port used to communicate with the RADIUS (AuthPoint Gateway) server.

    If you already have a RADIUS server installed that uses port 1812, you must use a different port for the AuthPoint gateway.

    (Video) Demo: WatchGuard AuthPoint and Firebox Integration: Shared Management with WatchGuard Cloud

  6. ImsecretandConfirmEnter a shared secret in the text boxes. This key is used to communicate with the RADIUS server (AuthPoint Gateway).
  7. To save the RADIUS server settings, clickOK.
  8. WatchGuard Dimension on-premise system integration with AuthPoint (7)

  9. Imtime outText box, type30.
  10. ImrepetitionsandGroup attributeText fields, leave the default values.
  11. clickSave on computer.

Add an administrative user

You must add an administrative user whose type isRADIUS-Beuserfor WatchGuard Dimension's on-premises system to integrate with AuthPoint.

To add an administrative user:

  1. Log in to the WatchGuard Dimension on-premise system WebUI (https://<IP address of your on-premise WatchGuard Dimension system>).
  2. ChooseWatchGuard Dimension on-premise system integration with AuthPoint (8)> Access Management.
  3. ChooseUsers & Groups.
    The Manage Users and Groups page opens.
  4. WatchGuard Dimension on-premise system integration with AuthPoint (9)

  5. To unlock the configuration, clickWatchGuard Dimension on-premise system integration with AuthPoint (10).
  6. clickAdd to.
  7. WatchGuard Dimension on-premise system integration with AuthPoint (11)

  8. ImNameIn the text box, enter a username for the new administration user.
  9. ImArtSelect drop down listRADIUS-Beuser.
  10. ChooseguidelinesTab.
  11. WatchGuard Dimension on-premise system integration with AuthPoint (12)

  12. ImRoll)In the text box, select the role for the new administration user. In our example we choose theSuperadministratorRolle.
  13. clickSave on computer.
  14. WatchGuard Dimension on-premise system integration with AuthPoint (13)

Configure AuthPoint

Before AuthPoint can receive authentication requests from your WatchGuard Dimension on-premises system, you must:

  • Specify the WatchGuard Dimension on-premises system as a RADIUS clientResourceIn AuthPoint, resources are the applications and services your users connect to.im AuthPoint.
  • Add oneAuthentication policyAuthentication policies specify which resources users can authenticate to and which authentication methods they can use (push, QR code, and OTP).for the RADIUS client resource or add the RADIUS client resource to an existing authentication policy.
  • Bind the RADIUS client resource to the AuthPoint gateway.

Add a RADIUS client resource in AuthPoint

From the AuthPoint management UI:

  1. Select in the navigation menuresources. clickAdd resource.
    The Add Resource page opens.<![CDATA[ ]]>

WatchGuard Dimension on-premise system integration with AuthPoint (14)

  1. Of theArtSelect drop down listRADIUS-Client.
    Additional fields are displayed.

WatchGuard Dimension on-premise system integration with AuthPoint (15)

  1. ImNameEnter a descriptive name for the resource in the text box.
  2. ImTrusted IP or FQDN of the RADIUS clientIn the text field, enter the IP address of your local WatchGuard Dimension system.
  3. ImSent value for RADIUS attribute 11 (Filter-Id)Select drop down listUser's AuthPoint group.
  4. If you are using an Active Directory group for RADIUS authentication, selectActive Directory groups of the user.

  5. Imshared secretIn the text box, enter the shared secret that you provided in theConfigure RADIUS authenticationSection.
  6. clickSave on computer.

Add a group in AuthPoint

You must have at least one user group in AuthPoint to configure MFA. If you already have a group, you don't need to add another group.

To add a group to AuthPoint:

(Video) AuthPoint Multi-Factor Authentication – Product Demo

  1. Select in the navigation menuThe group.
  2. clickAdd group.
    The New Group page is displayed.

WatchGuard Dimension on-premise system integration with AuthPoint (16)

  1. ImNameEnter a descriptive name for the group in the text box.
  2. (Optional) ImdescriptionIn the text box, enter a description of the group.

WatchGuard Dimension on-premise system integration with AuthPoint (17)

  1. clickSave on computer.
    Your group is listed on the Groups page.

WatchGuard Dimension on-premise system integration with AuthPoint (18)

Add an authentication policy to AuthPoint

Authentication policies specify which resources users can authenticate to and which authentication methods they can use (push, QR code, and OTP).

WatchGuard Dimension's on-premises system only supports push or OTP authentication. Users cannot choose between the two authentication methods. If you enable both push and OTP authentication methods for a policy, RADIUS client resources use push notifications to authenticate users. To allow users to authenticate with OTP, you only need to select Password and OTP authentication methods.

You must have at least one authentication policy in AuthPoint that includes the RADIUS client resource. If you already have authentication policies, you don't need to create a new authentication policy. You can add this resource to your existing authentication policies.

Users who do not have an authentication policy for a specific resource cannot authenticate to log in to that resource.

To configure an authentication policy:

  1. Select in the navigation menuauthentication policies.
  2. clickAdd Policy.

WatchGuard Dimension on-premise system integration with AuthPoint (19)

  1. Enter a name for this policy.
  2. Of theSelect authentication optionsSelect drop down listauthentication optionsand choose which authentication options users can choose from when they authenticate.

    When you enable push and OTP authentication methods for a policy, RADIUS client resources associated with that policy use push notifications to authenticate users.

    QR code authentication is not supported for RADIUS client resources.

WatchGuard Dimension on-premise system integration with AuthPoint (20)

  1. Select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, selectAll groups.
  2. Select the resource you created in the previous section. If you want this policy to apply to additional resources, select each resource that this policy applies to. To configure this policy to apply to all resources, selectAll resources.

WatchGuard Dimension on-premise system integration with AuthPoint (21)

  1. (Optional) If you configured Policy Objects such as a network location, select which Policy Objects apply to this policy. When you add a Policy Object to a policy, the policy applies only to user authentications that match the Policy Objects' conditions. For example, if you add a network location to a policy, the policy applies only to user authentications that originate from that network location. Users who only have a policy that includes a network location will not be granted access to the resource if they authenticate outside of that network location (because they don't have a valid policy, not because authentication is denied).

    (Video) Configure the WatchGuard SSL (TLS) VPN Client with MFA

    For RADIUS authentication, policies with a network location don't apply because AuthPoint doesn't know the IP address of the user.

    When configuring Policy Objects, we recommend that you create a second policy for the same groups and resources without the Policy Objects. The policy with the Policy Objects should have a higher priority.

WatchGuard Dimension on-premise system integration with AuthPoint (22)

  1. clickSave on computer.
    Your policy is created and added to the bottom of the policy list.

    When creating a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

WatchGuard Dimension on-premise system integration with AuthPoint (23)

Bind the RADIUS resource to a gateway

To use RADIUS authentication with AuthPoint, you must have the AuthPoint gateway installed on your corporate network and you must allocate your RADIUS resources to the gateway in the AuthPoint management UI. The gateway acts as a RADIUS server.

If you have not already configured and installed the AuthPoint Gateway, seeAbout gateways.

To allocate your RADIUS resources to the gateway:

  1. Select in the navigation menuTor.
  2. ChooseNamedes Gateways.
  3. ImRADIUSsection, inharborIn the text box, enter the port number used to communicate with the gateway. The default ports are 1812 and 1645.

    If you already have a RADIUS server installed that uses port 1812 or 1645, you must use a different port for the AuthPoint Gateway.

  4. ImSelect a RADIUS resourceSelect your RADIUS client resource from the drop-down list.
  5. clickSave on computer.

Add user to AuthPoint

Before assigning users to a group, you must add the users to AuthPoint. There are two ways to add AuthPoint user accounts:

  • Synchronize users from an external user database
  • Add local AuthPoint users

Each user must be a member of a group. You must add at least one group before you can add users to AuthPoint.

To import users from an external user database:

(Video) IntelligentAV from WatchGuard

To import users from Active Directory, Azure Active Directory, or an LDAP database, you must add oneouter identityin the AuthPoint management UI. External identities connect to user databases to retrieve user account information and validate passwords.

  • To sync users from Active Directory or an LDAP database, you must add oneExternal LDAP identity
  • To sync users from Azure Active Directory you need to add oneExternal Azure AD identity

When syncing users from an external user database, you can sync any number of users and they will all be added to AuthPoint at the same time. Users syncing from an external user database use the password defined for their user account as their AuthPoint password.

For information about synchronizing users, seeSync users from Active Directory or LDAPandSync users from Azure Active Directory.

To add local AuthPoint users:

You can create local AuthPoint users on the Users page in the AuthPoint administration UI. Because you can only create one user at a time, you do this most often when you are creating test users or only want to add a small number of users.

Unlike users who are synced from an external user database, local AuthPoint users define and manage their own AuthPoint password. When you add a local user account, the user receives an email asking them to set their password.

For information about adding local AuthPoint user accounts, seeAdd local AuthPoint users.

Test the integration

To test AuthPoint MFA with WatchGuard Dimension's on-premises system, you can authenticate using a mobile token on your mobile device. With a WatchGuard Dimension on-premises system, you can authenticate with a one-time password (OTP) or a push notification.

  • If you choose OTP as authentication method, you should enter the password plus OTP as passphrase.
  • If you choose Push as the authentication method, users will receive a push notification in the mobile app, which requires them to agree to the authentication.

In this example, we show the push authentication method (users get a push notification in the mobile app that they need to approve to authenticate).

  1. Open the WebUI of your WatchGuard Dimension On-Premise system (https://<IP address of your on-premise WatchGuard Dimension system>).
  2. Enter your admin username and password.
  3. WatchGuard Dimension on-premise system integration with AuthPoint (26)

  4. Approve the authentication request sent to your mobile device.
    You are successfully logged in.
  5. WatchGuard Dimension on-premise system integration with AuthPoint (27)

    (Video) WatchGuard Active Directory Integration Introduction

©2022WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the US and other countries. Various other trademarks are held by their respective owners.

Videos

1. WatchGuard: Stay secured with AuthPoint multi-factor authentication
(Soft Solutions Ltd)
2. WatchGuard: How to Configure a WatchGuard Firebox with the WatchGuard Firewall Setup Wizard
(Firewalls.com)
3. WatchGuard AuthPoint
(WatchGuard Italia)
4. Network Security: Firebox 101
(WatchGuard South Central)
5. FireBytes Webinar: Featuring AuthPoint Multi-factor Authentication
(WatchGuardWest)
6. New WatchGuard Table Top Firewalls!
(WatchGuardWest)
Top Articles
Latest Posts
Article information

Author: Chrissy Homenick

Last Updated: 2023/06/05

Views: 5769

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.