WatchGuard Dimension on-premise system integration with AuthPoint (2023)

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your WatchGuard Dimension on-premises system.

You must deploy and configure your on-premises WatchGuard Dimension system before setting up MFA with AuthPoint. Your WatchGuard Dimension on-premises system can be configured to support MFA in multiple modes. For this integration we set up RADIUS with AuthPoint.

With RADIUS authentication, users can authenticate with a push notification or one-time password (OTP). You choose which authentication method users can use when you configure itAuthentication policyAuthentication policies specify which resources users can authenticate to and which authentication methods they can use (push, QR code, and OTP).in the authentication point. The steps in this integration guide apply to both authentication methods.

This integration has been tested with WatchGuard Dimension's on-premise system v2.2.1.

WatchGuard Dimension on-premise system authentication flow with AuthPoint

AuthPoint communicates with various cloud-based services and service providers using the RADIUS protocol. This diagram shows the data flow of an MFA transaction for an on-premise WatchGuard Dimension system.

before you start

Before beginning these procedures, ensure the following:

• A token is assigned to a user in AuthPoint.
• You have installed and configured AuthPoint Gateway v7.0.1 or later. More information (pAbout gateways).
• You have deployed the WatchGuard Dimension on-premises system.
  

Configure the WatchGuard Dimension on-premises system

You must enable and configure RADIUS authentication settings on your local WatchGuard Dimension system.

Configure RADIUS authentication

When configuring the RADIUS authentication server, the timeout value must be greater thanPush TimeoutThe push timeout is the amount of time before a push authentication expires.for AuthPoint (30 seconds).

To configure RADIUS authentication:

1. Log in to the WatchGuard Dimension on-premise system WebUI (https://<IP address of your on-premise WatchGuard Dimension system>).
2. Choose> Access Management.
3. ChooseConstruction.
   The Authentication tab opens by default.



4. To unlock the configuration, click.

5. ChooseEnable RADIUS authenticationcheck box.
6. ImIP address / hostnameText box, clickAdd toto add a RADIUS server.



7. ImIP address or hostnameIn the text box, enter the IP address of the RADIUS (AuthPoint Gateway) server.
8. ImharborText box, leave the default port setting of1812. This is the default port used to communicate with the RADIUS (AuthPoint Gateway) server.

   If you already have a RADIUS server installed that uses port 1812, you must use a different port for the AuthPoint gateway.

   (Video) Demo: WatchGuard AuthPoint and Firebox Integration: Shared Management with WatchGuard Cloud

9. ImsecretandConfirmEnter a shared secret in the text boxes. This key is used to communicate with the RADIUS server (AuthPoint Gateway).
10. To save the RADIUS server settings, clickOK.



11. Imtime outText box, type30.
12. ImrepetitionsandGroup attributeText fields, leave the default values.
13. clickSave on computer.

Add an administrative user

You must add an administrative user whose type isRADIUS-Beuserfor WatchGuard Dimension's on-premises system to integrate with AuthPoint.

To add an administrative user:

1. Log in to the WatchGuard Dimension on-premise system WebUI (https://<IP address of your on-premise WatchGuard Dimension system>).
2. Choose> Access Management.
3. ChooseUsers & Groups.
   The Manage Users and Groups page opens.



See Also
Identifizieren und mindern Sie die Ausnutzung der SSH-Denial-of-Service-Schwachstelle des Cisco Unified Computing System E-Series Cisco Integrated Management Controller
4. To unlock the configuration, click.
5. clickAdd to.



6. ImNameIn the text box, enter a username for the new administration user.
7. ImArtSelect drop down listRADIUS-Beuser.
8. ChooseguidelinesTab.



9. ImRoll)In the text box, select the role for the new administration user. In our example we choose theSuperadministratorRolle.
10. clickSave on computer.

Configure AuthPoint

Before AuthPoint can receive authentication requests from your WatchGuard Dimension on-premises system, you must:

• Specify the WatchGuard Dimension on-premises system as a RADIUS clientResourceIn AuthPoint, resources are the applications and services your users connect to.im AuthPoint.
• Add oneAuthentication policyAuthentication policies specify which resources users can authenticate to and which authentication methods they can use (push, QR code, and OTP).for the RADIUS client resource or add the RADIUS client resource to an existing authentication policy.
• Bind the RADIUS client resource to the AuthPoint gateway.

Add a RADIUS client resource in AuthPoint

From the AuthPoint management UI:

1. Select in the navigation menuresources. clickAdd resource.
   The Add Resource page opens.<![CDATA[ ]]>

2. Of theArtSelect drop down listRADIUS-Client.
   Additional fields are displayed.

3. ImNameEnter a descriptive name for the resource in the text box.
4. ImTrusted IP or FQDN of the RADIUS clientIn the text field, enter the IP address of your local WatchGuard Dimension system.
5. ImSent value for RADIUS attribute 11 (Filter-Id)Select drop down listUser's AuthPoint group.

If you are using an Active Directory group for RADIUS authentication, selectActive Directory groups of the user.

6. Imshared secretIn the text box, enter the shared secret that you provided in theConfigure RADIUS authenticationSection.
7. clickSave on computer.

Add a group in AuthPoint

You must have at least one user group in AuthPoint to configure MFA. If you already have a group, you don't need to add another group.

To add a group to AuthPoint:

1. Select in the navigation menuThe group.
2. clickAdd group.
   The New Group page is displayed.

3. ImNameEnter a descriptive name for the group in the text box.
4. (Optional) ImdescriptionIn the text box, enter a description of the group.

5. clickSave on computer.
   Your group is listed on the Groups page.

Add an authentication policy to AuthPoint

Authentication policies specify which resources users can authenticate to and which authentication methods they can use (push, QR code, and OTP).

WatchGuard Dimension's on-premises system only supports push or OTP authentication. Users cannot choose between the two authentication methods. If you enable both push and OTP authentication methods for a policy, RADIUS client resources use push notifications to authenticate users. To allow users to authenticate with OTP, you only need to select Password and OTP authentication methods.

You must have at least one authentication policy in AuthPoint that includes the RADIUS client resource. If you already have authentication policies, you don't need to create a new authentication policy. You can add this resource to your existing authentication policies.

Users who do not have an authentication policy for a specific resource cannot authenticate to log in to that resource.

To configure an authentication policy:

1. Select in the navigation menuauthentication policies.
2. clickAdd Policy.

3. Enter a name for this policy.
4. Of theSelect authentication optionsSelect drop down listauthentication optionsand choose which authentication options users can choose from when they authenticate.

   When you enable push and OTP authentication methods for a policy, RADIUS client resources associated with that policy use push notifications to authenticate users.

   QR code authentication is not supported for RADIUS client resources.

5. Select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, selectAll groups.
6. Select the resource you created in the previous section. If you want this policy to apply to additional resources, select each resource that this policy applies to. To configure this policy to apply to all resources, selectAll resources.

7. (Optional) If you configured Policy Objects such as a network location, select which Policy Objects apply to this policy. When you add a Policy Object to a policy, the policy applies only to user authentications that match the Policy Objects' conditions. For example, if you add a network location to a policy, the policy applies only to user authentications that originate from that network location. Users who only have a policy that includes a network location will not be granted access to the resource if they authenticate outside of that network location (because they don't have a valid policy, not because authentication is denied).

   (Video) Configure the WatchGuard SSL (TLS) VPN Client with MFA

   For RADIUS authentication, policies with a network location don't apply because AuthPoint doesn't know the IP address of the user.

   When configuring Policy Objects, we recommend that you create a second policy for the same groups and resources without the Policy Objects. The policy with the Policy Objects should have a higher priority.

8. clickSave on computer.
   Your policy is created and added to the bottom of the policy list.

   When creating a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

Bind the RADIUS resource to a gateway

To use RADIUS authentication with AuthPoint, you must have the AuthPoint gateway installed on your corporate network and you must allocate your RADIUS resources to the gateway in the AuthPoint management UI. The gateway acts as a RADIUS server.

If you have not already configured and installed the AuthPoint Gateway, seeAbout gateways.

To allocate your RADIUS resources to the gateway:

1. Select in the navigation menuTor.
2. ChooseNamedes Gateways.

3. ImRADIUSsection, inharborIn the text box, enter the port number used to communicate with the gateway. The default ports are 1812 and 1645.

   If you already have a RADIUS server installed that uses port 1812 or 1645, you must use a different port for the AuthPoint Gateway.

4. ImSelect a RADIUS resourceSelect your RADIUS client resource from the drop-down list.
5. clickSave on computer.

Add user to AuthPoint

Before assigning users to a group, you must add the users to AuthPoint. There are two ways to add AuthPoint user accounts:

• Synchronize users from an external user database
• Add local AuthPoint users

Each user must be a member of a group. You must add at least one group before you can add users to AuthPoint.

Test the integration

To test AuthPoint MFA with WatchGuard Dimension's on-premises system, you can authenticate using a mobile token on your mobile device. With a WatchGuard Dimension on-premises system, you can authenticate with a one-time password (OTP) or a push notification.

• If you choose OTP as authentication method, you should enter the password plus OTP as passphrase.
• If you choose Push as the authentication method, users will receive a push notification in the mobile app, which requires them to agree to the authentication.

In this example, we show the push authentication method (users get a push notification in the mobile app that they need to approve to authenticate).

1. Open the WebUI of your WatchGuard Dimension On-Premise system (https://<IP address of your on-premise WatchGuard Dimension system>).
2. Enter your admin username and password.



3. Approve the authentication request sent to your mobile device.
   You are successfully logged in.



(Video) WatchGuard Active Directory Integration Introduction