Okta and Firebox Mobile VPN with IPSec Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to set up multi-factor authentication (MFA) for Mobile VPN with IPSec. Your WatchGuard Firebox must already be configured and deployed before you set up MFA with Okta.

Your WatchGuard Firebox can be configured to support MFA in several modes. For this integration, we set up RADIUS with Okta.

For RADIUS authentication, users can authenticate with a push notification or a time-based one-time password (TOTP). The steps in this integration guide are for both authentication methods.

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.7.1
  • Okta RADIUS Server Agent 2.15.1 or higher

Topology

This topology diagram shows the data flow for multi-factor authentication with a WatchGuard Firebox and Okta.

Topology diagram

Before You Begin

Before you begin, make sure that:

  • A token is assigned to a user in Okta Verify
  • You have installed and configured the Okta RADIUS Server Agent

Configure the Firebox

You must configure the RADIUS authentication settings and enable Mobile VPN with IPSec on your Firebox.

Configure RADIUS Authentication

When a user authenticates with Okta MFA, Okta does not send a response to the Firebox until the user approves the push notification or until the push authentication expires.

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page opens.

Screenshot of Firebox, diagram1

  1. From the Authentication Servers list, click RADIUS.
    The RADIUS page opens.
  2. Click Add.
    The Add page opens.
  3. In the Domain Name text box, type the domain name for this RADIUS server. Users must specify this domain name on the user login page. You cannot change the domain name after you save the settings.
  4. In the Primary Server Settings section, select the Enable RADIUS Server check box.
  5. In the IP Address text box, type the IP address of the RADIUS server (the Okta RADIUS Server Agent).
  6. In the Port text box, keep the default port setting of 1812. This is the default port used for communication with the RADIUS server (the Okta RADIUS Server Agent).
  7. In the Shared Secret and Confirm Secret text boxes, type a shared secret key. This key is used to communicate with the RADIUS server (the Okta RADIUS Server Agent).
  8. In the Timeout text box, type 60.
  9. Keep the default value for Group Attribute.

Screenshot of Firebox, diagram2

  1. Click Save.

Configure Mobile VPN with IPSec

  1. Select VPN > Mobile VPN.
  2. In the IPSec section, click Configure.

Screenshot of Firebox, diagram3

  1. Click Add to add a new group.
  2. In the Name text box, type a group name that matches the name of the Okta group or Active Directory group the your users belong to.
  3. From the Authentication Server drop-down list, select the authentication server that you created. In our example, the server name is Radius-Server.
  4. In the Passphrase and Confirm text boxes, type a passphrase to encrypt the mobile VPN profile (.wgx file) that you distribute to users in this group. The passphrase can include only standard ASCII characters. If you use a certificate for authentication, this passphrase is also used to encrypt the exported certificate file you send to users.
  5. In the Primary text box, type the external IP address of the Firebox that the VPN client connects to.

Screenshot of Firebox, diagram4

  1. Select the Resources tab.
  2. Select the Allow All Traffic Through Tunnel check box.

Screenshot of Firebox, diagram5

  1. In the Virtual IP Address Pool section, click Add.
  2. From the Choose Type drop-down list, select Host Range IPv4.
  3. In the From and To text boxes, type a range for your virtual IP addresses. The range should be in your interface range. The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
  4. Click OK.

Screenshot of Firebox, diagram6

  1. Click Save.
  2. In the Groups list, select the group.
  3. From the Client drop-down list, select WatchGuard Mobile VPN.
  4. Click Generate and save the <group name>.ini file.

Screenshot of Firebox, diagram7

Configure Okta

Configure Multifactor

  1. Log in to the Okta Admin Console.
  2. Select Security > Multifactor > Factor Types > Okta Verify.
  3. Set the status to Active.
  4. In the Okta Verify Settings section, click Edit.
  5. Select the Enable Push Notification check box.
  6. (Optional) Select the Require Touch ID or Face ID for Okta Verify (only on iOS) check box.
  7. Click Save.

Screenshot of Okta, diagram1

  1. Select the Factor Enrollment tab.
  2. Select the Default Policy and click Edit.
  3. From the Okta Verify drop-down list, select Required.
  4. Click Update Policy.

Screenshot of Okta, diagram2

Add an Okta Group and User

  1. Select Directory > Groups > Add Group.
  2. In the Name text box, type a group name.

Screenshot of Okta, diagram3

  1. Click Add Group.
  2. To add a user in Okta, select Directory > People > Add Person.
    You can add your own user information.

Screenshot of Okta, diagram4

  1. Click Save.

You can import users and groups from Active Directory to Okta. For information about how to import, see the Okta documentation.

Configure RADIUS Application

  1. Select Applications > Applications > Browse App Catalog.

Screenshot of Okta, diagram5

  1. In the Browse App Integration Catalog section, search for RADIUS Application and click Add.
  2. In the Application label text box, type a description name.

Screenshot of Okta, diagram6

  1. Click Next.
  2. In the UDP Port text box, type 1812.
  3. In the Secret Key text box, type the shared secret key. This is the password that the RADIUS server (the Okta RADIUS Server Agent ) and the RADIUS client (the Firebox) will use to communicate.
  4. From the Application username format drop-down list, select the appropriate user name format. In our example, we select Email.
  5. Keep the default values for all other settings.

Screenshot of Okta, diagram7

  1. Click Done.
  2. Select the Sign On tab.
  3. In the Advanced RADIUS Settings section, click Edit.

Screenshot of Okta, diagram8

  1. In the Groups Response section, select the Include groups in RADIUS response check box.
  2. From the RADIUS attribute drop-down list, select 11 Filter-Id.
  3. In the Group memberships to return text box, type and select the group.

Screenshot of Okta, diagram9

  1. (Optional) In the Authentication section, select the Accept password and security token in the same login request check box.
  2. (Optional) Select the Permit Automatic Push for Okta Verify Enrolled Users check box.
  3. (Optional) Select the Send Access-Challenge for MFA-only logins check box.
  4. (Optional) Select the Enable UPN or SAM account Name Login check box.
  5. Keep the default values for all other settings.

Screenshot of Okta, diagram10

  1. Click Save.
  2. Select the Assignments tab.
  3. Select Assign > Assign to Groups.
    If you select to Assign to People, the user must belong to the group you configured in the Groups Response section.
  4. Select the group and click Assign.
  5. Click Done.

Screenshot of Okta, diagram11

The default RADIUS session timeout sent by the Okta RADIUS agent is 60 seconds, and the VPN connection might be disconnected within two minutes. To solve this problem, you can add the ragent.mfa.timeout.seconds parameter to the Okta RADIUS agent config.properties file. For information about how to configure the parameter, see Configure properties in the Okta documentation.

Test the Integration

To test the integration of Okta and WatchGuard Mobile VPN with IPSec, you authenticate with a mobile token on your mobile device. For RADIUS resources, you can authenticate with a time-based one-time password (TOTP) or a push notification.

To authenticate with push:

  1. Open your WatchGuard Mobile VPN with IPSec client.
  2. Select Configuration > Profiles and import the <group name>.ini config file. This is the file you generated at the end of the Configure Mobile VPN with IPSec section.
  3. Click Add / Import.
  4. Select Profile Import.
  5. Click Next.
  6. Select your file.
  7. Click Next to finish.
  8. Select your profile as default.
  9. Click OK.
  10. Select Connection > Connect.
  11. Type your Okta user name and password.
  12. Click OK.

Screenshot of IPSec client, diagram1

  1. Type 1.
  2. Click OK.
  3. Approve the authentication request that is sent to your mobile device.
    You are connected successfully.

Screenshot of IPSec client, diagram2

To authenticate with a TOTP:

  1. Open your WatchGuard Mobile VPN with IPSec client.
  2. Select Connection > Connect.
  3. Type your Okta user name and password.
  4. Click OK.

Screenshot of IPSec client, diagram1

  1. Type the passcode shown in the Okta Verify mobile app.
  2. Click OK.
    You are connected successfully.