Configure MFA for a Firebox

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

You can add AuthPoint as an authentication server to Fireboxes that run Fireware v12.7.2 or higher. This makes it easier to configure AuthPoint MFA for:

  • Mobile VPN with SSL
  • Mobile VPN with IKEv2
  • Firebox Web UI
  • Firebox Authentication Portal

To enable AuthPoint as an authentication server on a Firebox, you must add a Firebox resource in AuthPoint. After you configure a Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled.

When you configure a Firebox resource to add MFA to a Firebox, AuthPoint receives the IP address of the end user, so network location policy objects apply when a user authenticates with a VPN client.

You do not have to add a Firebox resource to your Gateway configuration, even if the Firebox resource has MS-CHAPv2 enabled. In this scenario, the Firebox validates the user password with NPS and AuthPoint authenticates the user with MFA.

If AuthPoint syncs users from an LDAP external identity, the Firebox resource must have network access to the LDAP server to authenticate the synced users.

Your Firebox must run Fireware v12.7.2 or higher to authenticate Azure Active Directory users with the AuthPoint authentication server.

Before You Begin

Before you add AuthPoint as an authentication server on your Firebox, make sure that you have registered and connected the device to WatchGuard Cloud. For detailed instructions to register and connect your Firebox to WatchGuard Cloud, refer to Add a Locally-Managed Firebox to WatchGuard Cloud and Add a Cloud-Managed Firebox to WatchGuard Cloud.

If you remove a locally-managed or cloud-managed Firebox from WatchGuard Cloud, the Firebox resource in AuthPoint is no longer associated with the Firebox and you must delete the resource. To continue to use the AuthPoint authentication server on the Firebox, you must add the device to WatchGuard Cloud again and add a new Firebox resource for the device in AuthPoint.

If you want to use AuthPoint MFA with your Firebox, but do not want to add the Firebox to WatchGuard Cloud, you can add the Firebox to AuthPoint as a RADIUS client resource. For more information, see Configure MFA for a RADIUS Client.

If you get a new Firebox as a trade-up or as an RMA replacement for an old device that was added to your AuthPoint account, the steps to configure it as an AuthPoint resource are the same as if it were a new device.

To replace a Firebox that you have already added to AuthPoint as a Firebox resource:

  1. Add the new Firebox to WatchGuard Cloud.
  2. Add the device as a new Firebox resource in AuthPoint.
  3. Add the new Firebox resource to your AuthPoint authentication policies, and remove the old Firebox resource from those policies. For more information, go to About AuthPoint Authentication Policies.
  4. Delete the Firebox resource associated with the old Firebox from your AuthPoint account.

Authentication Workflow

When you configure AuthPoint as an authentication server for Mobile VPN with SSL, Mobile VPN with IKEv2, the Firebox Authentication Portal, or Fireware Web UI users:

  1. The Firebox forwards user authentication requests directly to AuthPoint.
  2. AuthPoint coordinates multi-factor authentication (MFA):
    • Local users —AuthPoint validates the first factor (password) and then the second factor (push or one-time password).
    • LDAP users — AuthPoint tells the Firebox to contact Active Directory to validate the first factor (password). If successful, AuthPoint then validates the second factor (push or one-time password).
    • Azure Active Directory users —AuthPoint contacts Azure Active Directory to validate the first factor (password). If successful, AuthPoint then validates the second factor (push or one-time password).
  3. The Firebox prompts the user to select an authentication option:
    • If the user selects the push option, AuthPoint sends a push request to the user’s phone.
    • If the user selects the one-time password option, the Firebox prompts the user to specify a one-time password (OTP).

The authentication workflow depends on the Fireware feature:

  1. The user initiates a VPN connection from a Mobile VPN with SSL client to the Firebox.
  2. The Firebox forwards the request to AuthPoint.
  3. AuthPoint determines if the user is local and has a valid MFA policy.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to connect to the VPN.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to connect to the VPN.
  1. The user initiates a VPN connection from a Mobile VPN with SSL client to the Firebox.
  2. The Firebox forwards the request to AuthPoint.
  3. AuthPoint determines if the user is an Active Directory user.
  4. AuthPoint tells the Firebox that the Active Directory server must validate the user.
  5. The Firebox sends the user credentials to the Active Directory server (LDAP bind request).
  6. Active Directory validates the user credentials and responds to the Firebox.
  7. The Firebox sends an MFA request to AuthPoint.
  8. AuthPoint verifies the user has a valid MFA policy.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to connect to the VPN.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to connect to the VPN.
  1. The user initiates a VPN connection from a Mobile VPN with SSL client to the Firebox.
  2. The Firebox forwards the request to AuthPoint.
  3. AuthPoint determines if the user is an Azure Active Directory user.
  4. AuthPoint contacts Azure Active Directory to validate the first factor (password).
  5. AuthPoint verifies the user has a valid MFA policy and authenticates the user.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to connect to the VPN.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to connect to the VPN.
  1. The user initiates a VPN connection from a Mobile VPN with IKEv2 client to the Firebox.
  2. The Firebox forwards the request to AuthPoint.
  3. AuthPoint determines if the user is local and has a valid MFA policy.
  4. AuthPoint sends a push notification to the user's mobile phone.
  5. The user receives and approves the push notification.
  6. AuthPoint receives the push approval and contacts the Firebox.
  7. The Firebox receives the approval and allows the user to connect to the VPN.
  1. The user initiates a VPN connection from a Mobile VPN with IKEv2 client to the Firebox.
  2. The Firebox forwards the request to AuthPoint.
  3. AuthPoint determines if the user is an Active Directory user.
  4. AuthPoint tells the Firebox that the NPS server must validate the user.
  5. The Firebox sends the user credentials to the NPS server for validation (RADIUS protocol). NPS is required for Active Directory users who log in from an IKEv2 client.
  6. The NPS server responds to the Firebox.
  7. The Firebox sends an MFA request to AuthPoint.
  8. AuthPoint verifies the user has a valid MFA policy.
  9. AuthPoint sends a push notification to the user's mobile phone.
  10. The user receives and approves the push notification.
  11. AuthPoint receives the push approval and contacts the Firebox.
  12. The Firebox receives the approval and allows the user to connect to the VPN.
  1. The user initiates a VPN connection from a Mobile VPN with IKEv2 client to the Firebox.
  2. The Firebox forwards the request to AuthPoint.
  3. AuthPoint determines if the user is an Azure Active Directory user.
  4. AuthPoint tells the Firebox that the NPS server must validate the user.
  5. The Firebox sends the user credentials to the NPS server for validation (RADIUS protocol). NPS is required for Azure Active Directory users who log in from an IKEv2 client.
  6. The NPS server responds to the Firebox.
  7. The Firebox sends an MFA request to AuthPoint.
  8. AuthPoint verifies the user has a valid MFA policy.
  9. AuthPoint sends a push notification to the user's mobile phone.
  10. The user receives and approves the push notification.
  11. AuthPoint receives the push approval and contacts the Firebox.
  12. The Firebox receives the approval and allows the user to connect to the VPN.
  1. The user connects to the Firebox Authentication Portal on port 4100.
  2. The user provides credentials and selects the AuthPoint authentication domain.
  3. The Firebox forwards the request to AuthPoint.
  4. AuthPoint determines if the user is local and has a valid multi-factor authentication (MFA) policy.
  5. The user sees an authentication page that shows the available authentication methods.
  6. The user selects an authentication method.
  7. The Firebox sends an MFA request to AuthPoint.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to log in.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to log in.
  1. The user connects to the Firebox Authentication Portal on port 4100.
  2. The user provides credentials and selects the AuthPoint authentication domain.
  3. The Firebox forwards the request to AuthPoint.
  4. AuthPoint determines if the user is an Active Directory user and the user has a valid MFA policy.
  5. AuthPoint communicates to the Firebox that the Active Directory server must validate the user.
  6. The Firebox sends the user’s credentials to the Active Directory server (LDAP bind request).
  7. Active Directory validates the user credentials and responds to the Firebox.
  8. The user sees an authentication page that shows the available authentication methods.
  9. The user selects an authentication method.
  10. The Firebox sends an MFA request to AuthPoint.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to log in.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to log in.
  1. The user connects to the Firebox Authentication Portal on port 4100.
  2. The user provides credentials and selects the AuthPoint authentication domain.
  3. The Firebox forwards the request to AuthPoint.
  4. AuthPoint determines if the user is an Azure Active Directory user.
  5. AuthPoint contacts Azure Active Directory to validate the first factor (password).
  6. The user sees an authentication page that shows the available authentication methods.
  7. The user selects an authentication method.
  8. The Firebox sends an MFA request to AuthPoint.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to log in.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to log in.
  1. The user connects to Firebox Web UI.
  2. The user provides credentials and selects the AuthPoint authentication domain.
  3. The Firebox forwards the request to AuthPoint.
  4. AuthPoint determines if the user is local and has a valid multi-factor authentication (MFA) policy.
  5. The user is presented with an authentication page that shows the available authentication methods.
  6. The user selects an authentication method.
  7. The Firebox sends an MFA request to AuthPoint.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to log in.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to log in.
  1. The user connects to Firebox Web UI.
  2. The user provides credentials and selects the AuthPoint authentication domain.
  3. The Firebox forwards the request to AuthPoint.
  4. AuthPoint determines if the user is an Active Directory user and the user has a valid MFA policy.
  5. AuthPoint communicates to the Firebox that the Active Directory server must validate the user.
  6. The Firebox sends the user credentials to the Active Directory server (LDAP bind request).
  7. Active Directory validates the user credentials and responds to the Firebox.
  8. The user sees an authentication page that shows the available authentication methods.
  9. The user selects an authentication method.
  10. The Firebox sends an MFA request to AuthPoint.
    • For Push:
      1. AuthPoint sends a push notification to the user's mobile phone.
      2. The user receives and approves the push notification.
      3. AuthPoint receives the push approval and contacts the Firebox.
      4. The Firebox receives the approval and allows the user to log in.
    • For OTP:
      1. AuthPoint validates the OTP.
      2. The Firebox receives the approval and allows the user to log in.

Convert Configurations from Fireware 12.7.1 or Lower

This section only applies to configurations that use a manually created AuthPoint RADIUS authentication server. If you have already configured AuthPoint MFA for your Firebox with a RADIUS client resource and a RADIUS server on the Firebox, follow the steps in this section to convert your configuration to use the AuthPoint authentication server.

Configurations that use a RADIUS authentication server for the AuthPoint Gateway will continue to work after you upgrade to Fireware v12.7.2.

If you have an existing authentication server called AuthPoint, that authentication server will be automatically renamed to AuthPoint.1 when you:

  • Upgrade your Firebox to Fireware v12.7.2.
  • Use WSM or Policy Manager v12.7.2 or higher to manage a Firebox that runs Fireware 12.7.1 or lower.

If your existing AuthPoint authentication server is renamed and it is not the default authentication server, users must type the new authentication server name (AuthPoint.1) when they log in and use that authentication server.

To convert your configuration to use the AuthPoint authentication server:

  1. Upgrade your Firebox to Fireware v12.7.2 or higher.
  2. In AuthPoint:
    1. Add a Firebox resource for your Firebox.
    2. Configure an authentication policy for the new Firebox resource or add the Firebox resource to one of your existing authentication policies.
  3. In Fireware:
    • To configure AuthPoint MFA for a VPN, add AuthPoint as the primary authentication server for Mobile VPN with SSL or Mobile VPN with IKEv2 configuration.
    • To configure AuthPoint MFA for the Firebox Authentication Portal, specify AuthPoint as the authentication server for users and groups.
  4. Test MFA with the new configuration.
  5. Delete your previous configuration:
    1. In AuthPoint, delete the existing RADIUS client resource and remove the RADIUS client resource from your Gateway.
    2. In Fireware, delete the RADIUS server you configured for the AuthPoint Gateway.

Configure a Firebox Resource

To add a Firebox resource:

  1. From the AuthPoint navigation menu, select Resources.

Screenshot of the Resources page.

  1. Click Add Resource.

    The Add Resource page opens.

Screen shot of the Add Resource page.

  1. From the Type drop-down list, select Firebox.

Screenshot of the Firebox resource page.

  1. In the Name text box, type a descriptive name for the resource.
  2. From the Firebox drop-down list, select the Firebox or FireCluster that you want to connect to AuthPoint. This list only shows Fireboxes and FireClusters that you have added to WatchGuard Cloud, and the device status in WatchGuard Cloud must be Connected.

Screenshot of the Firebox resource page.

  1. To configure the Firebox resource to accept MS-CHAPv2 authentication requests, click the Enable MS-CHAPv2 toggle.
    Additional text boxes appear.

    You do not have to enable MS-CHAPv2 if the IKEv2 VPN client is only used by local AuthPoint users.

Screenshot of the Firebox resource page.

  1. In the NPS RADIUS Server Trusted IP or FQDN text box, type the IP address or fully qualified domain name (FQDN) of the NPS RADIUS server.
  2. In the Port text box, type the port that NPS uses for communication. The default port is 1812.
  3. In the Timeout In Seconds text box, type a value in seconds. The timeout value is the amount of time before a push authentication expires.
  4. In the Shared Secret text box, type the shared secret key that NPS and the Firebox will use to communicate.

Screenshot of the Firebox resource page.

  1. Click Save.

After you add the Firebox resource in AuthPoint, the AuthPoint authentication server on your Firebox is enabled. To add MFA, you must configure the Firebox to use the AuthPoint authentication server.

Related Topics

About AuthPoint Authentication Policies

Firebox Mobile VPN with SSL Integration with AuthPoint

Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Active Directory Users

Firebox Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users

Firebox Cloud Mobile VPN with IKEv2 Integration with AuthPoint for Azure Active Directory Users

Manage Users and Roles on Your Firebox