Authentication Methods for Mobile VPN

Applies To: Cloud-managed Fireboxes

For a cloud-managed Firebox, Mobile VPN supports these user authentication methods.

Firebox authentication (Firebox-DB)

With this method, the Firebox uses its built-in authentication server to authenticate Mobile VPN users. To use this method, you add users and groups in the Firebox authentication settings.

RADIUS

With this method, the Firebox uses a RADIUS server to authenticate Mobile VPN users. To use this method, you add a RADIUS Authentication Domain to WatchGuard Cloud and to your Firebox, and then you add users and groups for authentication.

Active Directory

With this method, the Firebox uses an Active Directory server to authenticate Mobile VPN with SSL users. To use this method, you add the Active Directory Authentication Domain to WatchGuard Cloud and to your Firebox, and then you add users and groups for authentication.

Mobile VPN with IKEv2 supports Active Directory authentication only through a RADIUS server. You must configure RADIUS authentication so the VPN can pass through the Active Directory credentials.

AuthPoint

With this method, the Firebox authenticates Mobile VPN users with AuthPoint, the WatchGuard multi-factor authentication (MFA) service.

To use AuthPoint for Mobile VPN user authentication on a cloud-managed Firebox, you must first add the Firebox as an AuthPoint resource, which requires Fireware v12.7 or higher.

SAML

With this method, you use a Security Assertion Markup Language (SAML) authentication domain to authenticate users with your Firebox. With SAML, you can exchange data between an identity provider (IdP) and a Service Provider (SP).

In the SAML configuration on the Firebox, you configure the Firebox as the SP and a third-party service as the IdP.

Configure Firebox Authentication

Before you can add Firebox-DB users to the Mobile VPN with IKEv2 or Mobile VPN with SSL configurations, you must add them to the Firebox authentication database (Firebox DB). For more information, see Configure Firebox Database User Authentication.

Configure RADIUS Authentication

To configure Mobile VPN with IKEv2 or Mobile VPN with SSL to authenticate users with a RADIUS server, you must complete these steps: 

Configure the Authentication Domain in WatchGuard Cloud:

  1. In WatchGuard Cloud Shared Configurations, add an authentication domain for your RADIUS server. For more information, see Add an Authentication Domain to WatchGuard Cloud.
  2. In the authentication domain, add users and groups that exist on your RADIUS server. For more information, see Add Users, Groups, and Devices to an Authentication Domain.

Configure Firebox Authentication Settings:

  1. In the Firebox Authentication settings, add the authentication domain. For more information, see Add an Authentication Domain to a Firebox.
  2. In the Firebox Mobile VPN with IKEv2 or Mobile VPN with SSL configuration, add the authentication domain and add the users and groups you want to connect through Mobile VPN. For more information, see Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox and Configure Mobile VPN with SSL for a Cloud-Managed Firebox.

Configure Active Directory Authentication

To configure Mobile VPN with SSL to authenticate users with an Active Directory server, you must complete these steps: 

Configure the Authentication Domain in WatchGuard Cloud:

  1. In WatchGuard Cloud Shared Configurations, add an authentication domain for your Active Directory server. For more information, see Add an Authentication Domain to WatchGuard Cloud.
  2. In the authentication domain, add users and groups that exist on your Active Directory server. For more information, see Add Users, Groups, and Devices to an Authentication Domain.

Configure Firebox Authentication Settings:

  1. In the Firebox Authentication settings, add the authentication domain. For more information, see Add an Authentication Domain to a Firebox.
  2. In the Mobile VPN with SSL configuration, add the authentication domain and add the users and groups you want to connect through Mobile VPN. For more information, see Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox and Configure Mobile VPN with SSL for a Cloud-Managed Firebox.

Configure AuthPoint Authentication

To configure Mobile VPN with IKEv2 or Mobile VPN with SSL to authenticate users with AuthPoint, you must complete these steps:

Configure AuthPoint:

  1. Add users and groups in AuthPoint. For more information, see Add User Accounts and Add AuthPoint Groups.
  2. Add your cloud-managed Firebox as a Firebox resource in AuthPoint. For more information, see Configure MFA for a Firebox.
  3. Add one or more authentication policies for the Firebox resource. For more information, see About AuthPoint Authentication Policies.

Configure Firebox Authentication Settings:

  1. In the Firebox Mobile VPN with IKEv2 or Mobile VPN with SSL configuration, on the Add Authentication Domains page, select AuthPoint.
  2. Select or add the AuthPoint users and groups you want to connect through Mobile VPN. For more information, see Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox and Configure Mobile VPN with SSL for a Cloud-Managed Firebox.

Configure SAML Authentication

To configure the Mobile VPN with SSL client to authenticate users with a SAML domain, you must complete these steps, from WatchGuard Cloud:

  1. Add a SAML authentication domain. For more information, go to Add an Authentication Domain to a Firebox.
  2. Add users and groups to the identity provider account. For example, if you use Azure Active Directory as your identity provider, users can then use their Azure Active Directory credentials and the Mobile VPN with SSL client to log in to the Firebox.
  3. Configure the Mobile VPN with SSL client with the SAML authentication domain and the users and groups you want to connect through Mobile VPN. For more information, go to Configure Mobile VPN with SSL for a Cloud-Managed Firebox.

User Groups

In the Mobile VPN with IKEv2 configuration for a cloud-managed Firebox, there is one default user group, IKEv2-Users. This group allows authentication from users in that group from any authentication domain. All users and groups you add to the Mobile VPN with IKEv2 configuration are also added to the IKEv2-Users group.

In the Mobile VPN with SSL configuration for a cloud-managed Firebox, there is one default user group, SSLVPN-Users. This group allows authentication from users in that group from any authentication domain. All users and groups you add to the Mobile VPN with SSL configuration are also added to the SSLVPN-Users group.

Related Topics

Add a Cloud-Managed Firebox to WatchGuard Cloud

Manage Device Configuration Deployment

About Mobile VPN for a Cloud-Managed Firebox