About Mobile VPN with IKEv2 User Authentication

When you configure Mobile VPN with IKEv2, you select authentication servers and configure users and groups for authentication. The users and groups you specify must exist on the selected authentication server.

Authentication Methods

Mobile VPN with IKEv2 supports these authentication methods:

Local authentication on the Firebox (Firebox-DB)

You can use the local authentication server on the Firebox for IKEv2 user authentication. If you use Firebox-DB for authentication, you must use the IKEv2-Users group that is created by default when you configure Mobile VPN with IKEv2. You can also add other users and groups in the IKEv2 configuration. The users and groups you add to the IKEv2 configuration are automatically included in the IKEv2-Users group.

RADIUS

You can use a RADIUS server for IKEv2 user authentication. If your users authenticate to network resources with Active Directory, we recommend that you configure RADIUS authentication so the IKEv2 VPN can pass through Active Directory credentials.

On your RADIUS server, you must configure the Firebox as a RADIUS client and configure other settings. To configure NPS, which is the Microsoft implementation of RADIUS, go to Configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory in the WatchGuard Knowledge Base.

On the Firebox, you must configure the RADIUS server, select RADIUS as the authentication method for Mobile VPN with IKEv2, and add the users and groups from your Active Directory database to the Mobile VPN with IKEv2 configuration. You can use the default IKEv2-Users group (if you also add that group on the RADIUS authentication server), or you can add the names of users and groups that exist in the RADIUS authentication server database.

AuthPoint

In Fireware v12.7 or higher, you can select AuthPoint as an authentication server in the Mobile VPN with IKEv2 configuration. For more information, go to the Multi-Factor Authentication section on this page.

To configure authentication settings in the Mobile VPN with IKEv2 configuration, and to add users and groups, go to Edit the Mobile VPN with IKEv2 Configuration.

Multi-Factor Authentication

Mobile VPN with IKEv2 supports multi-factor authentication for MFA solutions that support MS-CHAPv2.

AuthPoint MFA

AuthPoint, the cloud-based MFA service from WatchGuard, supports MS-CHAPv2 authentication.

Fireware v12.7 or higher — You can configure the Firebox to forward authentication requests for IKEv2 VPN users directly to AuthPoint. After you configure the required settings in AuthPoint, AuthPoint appears in the authentication server list on the Firebox. In the Mobile VPN IKEv2 configuration, you must select AuthPoint as an authentication server. This integration supports MS-CHAPv2 authentication for Active Directory users. For a configuration example, see the Firebox Mobile VPN with IKEv2 Integration with AuthPoint integration guide.

If you configured Mobile VPN with IKEv2 for AuthPoint MFA in Fireware v12.6.x or lower, you can keep that integration in place while you configure an updated integration in Fireware v12.7 or higher. For configuration conversion information, go to the "Convert Configurations from Fireware 12.6.x or Lower" section in Configure MFA for a Firebox.

Fireware v12.6.4 or lower — On the Firebox, you must specify a RADIUS server in the Mobile VPN with IKEv2 configuration. AuthPoint does not appear in the list of authentication servers on the Firebox. For a configuration example, go to the Firebox Mobile VPN with IKEv2 Integration with AuthPoint integration guide.

To authenticate mobile users who have third-party IKEv2 VPN clients, go to Mobile VPN with IKEv2 Integration with AuthPoint.

For general information about the AuthPoint MFA workflow for Mobile VPN with IKEv2, go to Configure MFA for a Firebox.

Android users who connect through the strongSwan VPN client receive AuthPoint push notifications only if you configure strongSwan for split tunneling. When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts. To configure split tunneling in strongSwan, see the documentation provided by strongSwan.

Third-Party MFA

For information about third-party MFA implementation, go to Use Multi-Factor Authentication (MFA) with Mobile VPNs.

Related Topics

RADIUS Authentication with Active Directory For Mobile VPN Users

Configure RADIUS Server Authentication

Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2