Related Topics
Configure VASCO Server Authentication
VASCO server authentication uses the IDENTIKEY Authentication Server (IAS) to authenticate remote users on a company network through a RADIUS or web server environment. VASCO also supports multiple authentication server environments. The VASCO one-time password token system enables you to eliminate the weakest link in your security infrastructure—the use of static passwords.
To use VASCO server authentication with your Firebox, you must:
- Add the IP address of the Firebox to the VASCO IDENTIKEY Authentication Server configuration, as described in the documentation from your VASCO vendor.
- Enable and specify the VASCO IDENTIKEY Authentication Server in your Firebox configuration.
- Add user names or group names to your policies.
To configure VASCO server authentication, use the RADIUS server settings. The Authentication Servers dialog box does not have a separate tab for VASCO servers.
VASCO is a WatchGuard Technology Partner. For a VASCO IDENTIKEY Authentication Server integration guide, see the Technology Partners page, at http://watchguard.com/wgrd-partners/technology-partners.
- Select Authentication > Servers.
The Authentication Servers page appears. - From the Server list, select RADIUS.
The RADIUS server settings appear.
- To enable the IDENTIKEY Authentication Server, select the Enable RADIUS Server check box.
- In the IP Address text box, type the IP address of the IDENTIKEY Authentication Server.
- In the Port text box, make sure that the port number IAS uses for authentication appears. The default port number is 1812.
- In the Passphrase text box, type the shared secret between the device and the IDENTIKEY Authentication Server.
The shared secret is case-sensitive, and it must be the same on the Firebox and the IDENTIKEY Authentication Server. The shared secret cannot include only space characters. - In the Confirm text box, type the shared secret again.
- In the Timeout text box, type the amount of time the device waits for a response from the authentication server before it tries to connect again.
- In the Retries text box, type the number of times the device tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
- Type or select the Group Attribute value. The default group attribute is FilterID, which is VASCO attribute 11.
The group attribute value is used to set which attribute carries the user group information. You must configure the IDENTIKEY Authentication Server to include the Filter ID string with the user authentication message it sends to the device. For example, engineerGroup or financeGroup. This information is then used for access control. The device matches the FilterID string to the group name configured in the device policies. - In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try to connect to this server until it is marked as active again. - To add a backup IDENTIKEY Authentication Server, in the Secondary Server Settings section, select the Enable Secondary RADIUS Server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and secondary IDENTIKEY Authentication Server.
For more information, see Use a Backup Authentication Server. - Click Save.
- Click .
Or, select Setup > Authentication > Authentication Servers.
The Authentication Servers dialog box appears. - Select the RADIUS tab.
- To enable the IDENTIKEY Authentication Server, select the Enable RADIUS server check box.
- In the IP Address text box, type the IP address of the IDENTIKEY Authentication Server.
- In the Port text box, make sure that the port number VASCO uses for authentication appears. The default port number is 1812.
- In the Secret text box, type the shared secret between the device and the IDENTIKEY Authentication Server.
The shared secret is case-sensitive, and it must be the same on the device and the IDENTIKEY Authentication Server. The shared secret cannot include only space characters. - In the Confirm Secret text box, type the shared secret again.
- In the Timeout text box, type or select the amount of time the device waits for a response from the authentication server before it tries to connect again.
- In the Retries text box, type or select the number of times the device tries to connect to the authentication server before it reports a failed connection for one authentication attempt.
- Type or select the Group Attribute value. The default group attribute is FilterID, which is VASCO attribute 11.
The group attribute value is used to set which attribute carries the user group information. You must configure the VASCO server to include the Filter ID string with the user authentication message it sends to the device. For example, engineerGroup or financeGroup. This information is then used for access control. The device matches the FilterID string to the group name configured in the device policies. - In the Dead Time text box, type or select the amount of time after which an inactive server is marked as active again. Select minutes or hours from the drop-down list to change the duration.
After an authentication server has not responded for a period of time, it is marked as inactive. Additional authentication attempts do not try to connect to this server until it is marked as active again. - To add a backup IDENTIKEY Authentication Server, select the Backup Server Settings tab, and select the Enable a backup RADIUS server check box.
- Repeat Steps 4–11 to configure the backup server. Make sure the shared secret is the same on the primary and secondary IDENTIKEY Authentication Server.
For more information, see Use a Backup Authentication Server. - Click OK.
- Save the Configuration File.