Add an Authentication Domain to WatchGuard Cloud

An authentication domain is a domain associated with one or more external authentication servers. In WatchGuard Cloud, you can add your authentication domain, and specify authentication servers, users, and groups. The authentication domain is a shared configuration that you can use for multiple cloud-managed devices.

You can also add WatchGuard Cloud-hosted users and groups to the WatchGuard Cloud Directory. For more information, go to About the WatchGuard Cloud Directory

To add an authentication domain, from WatchGuard Cloud:

  1. If you are a Service Provider, select the name of the managed subscriber account.
  2. Select Configure > Directories and Domain Services.
    The Authentication Domains page opens.

Screen shot of the Authentication Domains page

  1. Click Add Authentication Domain.
    The Add Authentication Domain page opens.

Screen shot of the Add Authentication Domain page, select directory type step.

  1. Select whether you want to add the WatchGuard Cloud Directory or an external directory. If you have already added the WatchGuard Cloud Directory, you do not see this page.

    The WatchGuard Cloud Directory is an authentication domain where you add users and groups that are hosted in WatchGuard Cloud. If you select this option, no additional steps are required.

  2. Click Next.
  3. Select the authentication domain type.

Screen shot of the Add Authentication Domain page, Add servers step

  1. Configure the settings for the selected server type.

After you add the authentication domain, you can add users, groups, and additional servers. For more information, see:

Configure RADIUS Server Settings

To configure settings for a RADIUS server:

  1. In the Add servers settings, select RADIUS.

Screen shot of the Add servers settings, with RADIUS selected

  1. In the Domain Name text box, type the domain name to add. The domain name must include a domain suffix. For example, type example.com, not example.
  2. From the RADIUS Server Type drop-down list, select RADIUS Authentication Server.

For access points, you can also add a RADIUS Accounting Server. A RADIUS accounting server monitors RADIUS traffic and collects data about client sessions, such as when sessions begin and end. Make sure you add a RADIUS authentication server to the authentication domain before you add a RADIUS accounting server. In many deployments, the Authentication and Accounting services are on the same RADIUS server and run on different ports.

  1. From the Type drop-down list, select the Host IPv4 or Host IPv6 IP address type.
  2. In the IP Address text box, type the IP address of the RADIUS server.
  3. In the Port text box, type the port number RADIUS uses for authentication. Most RADIUS servers use port 1812 by default (older RADIUS servers might use port 1645). Most RADIUS accounting servers use port 1813.
  4. In the Shared secret text box, type the shared secret for connections to the RADIUS server.
  5. In the Confirm shared secret text box, type the shared secret again.
  6. Click Save.

Make sure your RADIUS server is also configured to accept connections from each cloud-managed Firebox or access point as a RADIUS client.

Additional RADIUS Server Options

After you have configured and saved your RADIUS server basic settings, you can also configure these additional options:

  • Timeout (Seconds) — In the Timeout text box, type a value in seconds. The timeout value is the amount of time the device waits for a response from the authentication server before it tries to connect again. The default value is 10 seconds.
  • Retries — In the Retries text box, type the number of times the device tries to connect to the RADIUS server before it reports a failed connection for one authentication attempt. The default value is 3.
  • Dead Time — In the Dead Time text box, type the amount of time after which an inactive server is marked as active again. The default value is 10 minutes.
  • Group Attribute — In the Group Attribute text box, type a value for the group attribute for the RADIUS server to retrieve group membership for users. The group the user is a member of is returned in the RADIUS FilterID attribute. This default RADIUS group attribute is 11.
  • Interim Accounting Interval (Seconds) — In the Interim Accounting Interval text box, type the number of seconds between updates sent to a RADIUS accounting server. The default is 600 seconds (10 minutes).

For more information, see:

Configure Active Directory Server Settings

To configure settings for an Active Directory server:

  1. In the Add servers settings, select Active Directory.

Screen shot of the Add servers settings, with Active Directory selected.

  1. In the Domain Name text box, type the domain name to add. The domain name must include a domain suffix. For example, type example.com, not example.
  2. In the Server Address text box, type the domain name or IP address of your Active Directory server.
  3. (Optional) To enable secure SSL connections to your Active Directory server, select Enable secure SSL connections to your Active Directory Server (LDAPS).
  4. Click Save.

Related Topics

WatchGuard Cloud Authentication Domains

Configure RADIUS Authentication for a Firebox

Access Point Authentication Domains

Configure RADIUS Authentication for an Access Point