Configure RADIUS Authentication with Active Directory for Mobile VPN with L2TP

You can configure the Firebox to authenticate L2TP users with your RADIUS and Active Directory servers. You must complete these steps:

  • Configure your RADIUS server
  • Configure your Active Directory server
  • Configure the Firebox for RADIUS Authentication with Active Directory

Configure RADIUS and Active Directory Servers

Before you configure your Firebox to use your Active Directory and RADIUS servers to authenticate your Mobile VPN with L2TP users, make sure that the settings described in this section are configured on your RADIUS and Active Directory servers.

NPS is the Microsoft implementation of RADIUS.

  • In Windows Server Manager, install Network Policy Server, which is part of the Network Policy and Access Services role.
  • Register the NPS server in Active Directory so that NPS has permissions to access Active Directory user account credentials.
  • Add your Firebox as a RADIUS client. You must include the IP address of your Firebox, specify the RADIUS Standard vendor, and set a manual shared secret for the RADIUS client and Firebox.
  • Configure the default Connection Request Policy with these settings:
    • Specify unencrypted authentication (PAP or SPAP).
    • Add the attribute Filter-ID to the policy and specify L2TP-Users as the value.
    • Specify Access granted as the access permissions for the policy, and do not specify an EAP type.
  • In the settings for Connections to other access servers, grant access.

For step-by-step instructions, go to Configure Windows Server 2022, 2019, 2016, or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory in the WatchGuard Knowledge Base.

When you configure these settings for your Active Directory server, you enable your RADIUS server to contact your Active Directory server for the user credentials and group information stored in your Active Directory database.

  • In Active Directory Users and Computers on your Active Directory server, make sure that the remote access permissions are configured to Allow access to users.
  • Register NPS or IAS to your Active Directory server.

For complete instructions to configure your RADIUS server or Active Directory server, see the vendor documentation for each server.

Configure the Firebox for RADIUS Authentication with Active Directory

Before your L2TP users can authenticate to your network with their Active Directory credentials, you must enable your Firebox to use a RADIUS server for Mobile VPN with L2TP authentication.

Before you configure the Mobile VPN with L2TP settings, make sure that you have added your RADIUS server to the Authentication Servers list on your Firebox. The RADIUS server must have the same IP address and shared secret that you specified when you configured the NPS or IAS settings for your RADIUS server.

For more information about how to add a RADIUS authentication server, go to Configure RADIUS Server Authentication.

Configure Mobile VPN with L2TP Settings

By default, Firebox-DB is the selected server for authentication. When you configure Mobile VPN to use your RADIUS server, you can use Firebox-DB for a secondary authentication database if the RADIUS server is not available.

Fireware v12.5 or Higher

  1. Select VPN > Mobile VPN.
  2. In the L2TP section, click Configure.
    The Mobile VPN with L2TP configuration page appears.
  3. Select the Authentication tab.
  4. From the Authentication Server drop-down list, select the RADIUS server.
  5. Click Add.
  6. To make the RADIUS server the primary server, select the RADIUS server and click Move Up.
  7. To only use the RADIUS server for authentication, select the Firebox-DB server and click Remove.
  8. In the Users and Groups list, make sure the L2TP-Users group appears.
    The Authentication Server for L2TP users and groups can be Any or RADIUS.
  1. Select VPN > Mobile VPN > L2TP .
    The Mobile VPN with L2TP Configuration dialog box appears.
  2. Select the Authentication tab.
  3. In the Authentication Server list, select the check box for your RADIUS server.
  4. If the RADIUS server is not the first server in the Authentication Server list, select the server and click Make Default.
    The RADIUS server moves to the top of the list.
  5. To only use the RADIUS server for authentication, clear the Firebox-DB check box.
  6. In the Users and Groups list, make sure the L2TP-Users group appears.
    The Authentication Server for L2TP users and groups can be Any or RADIUS.

Fireware v12.4.1 or Lower

  1. Select VPN > Mobile VPN with L2TP.
  2. Click Configure.
    The Mobile VPN with L2TP page appears.
  3. Select the Authentication tab.
  4. In the Authentication Server list, select the check box for your RADIUS server.
  5. If the RADIUS server is not the first server in the Authentication Server list, click Make Default.
    The RADIUS server moves to the top of the list.
  6. To only use the RADIUS server for authentication, clear the Firebox-DB check box.
  7. In the Authentication Users and Groups list, make sure the L2TP-Users group appears.
    The Authentication Server can be Any or RADIUS.
  8. Make any additional changes to the Mobile VPN with L2TP configuration.
  1. Select VPN > Mobile VPN > L2TP > Configure.
    The Mobile VPN with L2TP Configuration dialog box appears.
  2. Select the Authentication tab.
  3. In the Authentication Server list, select the check box for your RADIUS server.
  4. If the RADIUS server is not the first server in the Authentication Server list, click Make Default.
    The RADIUS server moves to the top of the list.
  5. To only use the RADIUS server for authentication, clear the Firebox-DB check box.
  6. In the Authorized Users and Groups list, make sure the L2TP-Users group appears.
    The Authentication Server can be Any or RADIUS.
  7. Make any additional changes to the Mobile VPN with L2TP configuration.

For more information about how to configure the settings for Mobile VPN with L2TP, go to Edit the Mobile VPN with L2TP Configuration.

Related Topics

About L2TP User Authentication

Mobile VPN with L2TP