WatchGuard Mobile VPN 2FA

This guide shows how to enable multi-factor authentication (2FA / MFA) for WatchGuard Mobile VPN with the help of the Protectimus two-factor authentication solution.

Protectimus multi-factor authentication system integrates with WatchGuard Mobile VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the WatchGuard Mobile VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for WatchGuard Mobile VPN two-factor authentication is presented below.

1. How WatchGuard Mobile VPN 2FA Works

Protectimus Two-Factor Authentication Solution for WatchGuard Mobile VPN allows you to add an extra layer of security to your WatchGuard VPN logins.

Protectimus WatchGuard Mobile VPN 2FA Solution enables 2-factor authentication during WatchGuard connections via IPSec and SSL.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a WatchGuard Mobile VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for WatchGuard Mobile VPN

You can set up multi-factor authentication (2FA) for WatchGuard Mobile VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA.
4. Configure WatchGuard Mobile VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for WatchGuard Mobile VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA

1. Log in to the WatchGuard Firebox Admin Panel (Fireware Web UI).
2. Navigate to Authentication –> Servers –> RADIUS.

3. Click Add.

4. Fill in the required fields in the Primary Server Settings tab. Please refer to the following table and image.

Domain Name	Come up with a name for your RADIUS domain, e.g. Protectimus RADIUS Server. Note that You cannot change the Domain Name after you save the settings.
Enable RADIUS Server	Check the box.
IP Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Reenter the shared secret
Timeout	Set to 60 seconds.
Retries	Set to 3.
Dead Time	Set to 10 minutes.
Group Attribute	Set to 11.

5. Click Save to save your settings.

2.4. Configure WatchGuard Mobile VPN with SSL or IPSec

1. In the WatchGuard Firebox Admin Panel left pane, click VPN –> Mobile VPN.
2. Then navigate to the SSL or IPSec section, whichever method suits you best, and follow the instructions below.

2.4.1. Configure WatchGuard Mobile VPN with SSL

PLEASE NOTE! To enable 2FA for SSL Mobile VPN, you need to manually add all your users to WatchGuard VPN and then allow them to use SSL VPN.

1. Go to Authentication –> Users and Groups. Then click ADD to add a new user.

2. In Add User or Group, enter the name of the user and select the Authentication Server. Refer to the following table and image.

Type	User
Name	Enter the username.
Description	Optional, you can enter a description of the user if you want.
Authentication Server	Select the server you have created before (Protectimus RADIUS Server).

3. Other options are optional. Click OK and then click Save in the main list of all groups and users to confirm the new user.

PLEASE NOTE! You need to do the above three steps for every user you want to allow to use Mobile VPN with SSL.

4. After you add all your users, click VPN –> Mobile VPN. Then, go to the SSL section and click CONFIGURE.

5. Select the Authentication tab.
6. In AUTHENTICATION SERVERS, select the server you have created before (Protectimus RADIUS Server) and click ADD.
7. Then, select it on the list of authentication servers and click MOVE UP to make it default.

8. In Users and Groups, select the groups and users you want to allow to use SSL VPN.
9. Click SAVE to confirm and save your settings.

2.4.2. Configure WatchGuard Mobile VPN with IPSec

1. Navigate to VPN –> Mobile VPN. Then, go to the IPSec section and click CONFIGURE.

2. In the Groups section, select your profile and click EDIT.

3. Select the General tab.
4. In the Authentication Server dropdown, the server you have created before (Protectimus RADIUS Server). It has the Domain Name you set when configuring Protectimus as RADIUS Server.

5. Click SAVE to confirm and save your settings.

Integration of two-factor authentication (2FA/MFA) for your WatchGuard Mobile VPN is now complete. If you have other questions, contact Protectimus customer support service.