Integration Guide SafeNet Authentication Service (SAS) Revised: 10 June 2016
About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.
SafeNet Authentication Service Integration Overview SafeNet Authentication Service communicates with a large number of VPN and access-gateway solutions using the RADIUS protocol. This document describes the steps necessary to integrate the WatchGuard Mobile VPN with SSL client software download process and Mobile VPN with SSL client authentication with SafeNet Authentication Service s two-factor authentication solution. The image below describes the dataflow of a multi-factor authentication transaction with the WatchGuard Firebox. At a high level: 1. A user tries to log on to the WatchGuard Firebox using a One Time Password (OTP) authenticator. 2. The Firebox sends a RADIUS request with the user s credentials to SafeNet Authentication Service (SAS) for validation. 3. The SAS authentication reply is sent back to the Firebox. 4. The user is granted or denied access through the Firebox based on the OTP value calculation results from SAS. Platform and Software The hardware and software used to complete the steps outlined in this document include: Firebox with Fireware v11.10.x installed SafeNet Authentication Service (SAS) SafeNet s cloud-based authentication service MobilePASS 8.4.3.86 Configuring SafeNet Authentication Service (SAS) The deployment of multi-factor authentication using SAS with a WatchGuard Firebox using the RADIUS protocol requires: Synchronizing user stores to SAS Authenticator assignment in SAS Adding the WatchGuard Firebox as an Authentication Node in SAS
Synchronizing User Stores to SafeNet Authentication Service Before SAS can authenticate any user, you must create a user store in SAS that reflects the users that need to use multi-factor authentication. User records are created in the SAS user store using one of the following methods: Manually, one user at a time using the Create User shortcut. Manually, by importing one or more user records in a flat file. Automatically, by synchronizing with your Active Directory/LDAP server using the SAS Synchronization Agent For more information on how to import users to SAS, refer to the section on creating users in the SafeNet Authentication Service Subscriber Account Operator Guide. In this document, we show you how to use the Create User shortcut to manually create users. To learn more about how to create users, see the SafeNet Knowledge Base. 1. Log in to the SAS Web UI with the Operator account and password. 2. Click the shortcut Create User. 3. Enter the First Name, Last Name, User ID and Email. 4. Click Add. In this example, we created a user named user1.
5. After you click Add, you see a page that looks like this. Authenticator Assignment in SAS SAS supports numerous authentication methods that can be used as secondary authentication factors for users who authenticate through their WatchGuard Firebox: etoken PASS RB-1 keypad token KT-4 token SafeNet GOLD SMS tokens MP-1 software token GrIDsure authentication MobilePASS Authenticators can be assigned to users in two ways: Manual provisioning Assign an authenticator to users one by one. Provisioning rules The administrator can set provisioning rules in SAS so that the rules will be triggered when group memberships and other user attributes change. An authenticator will be assigned automatically to the user. Refer to provisioning rules in the SafeNet Authentication Service - Subscriber Account Operator Guide to learn how to provision the different authentication methods to the users in the SAS user store.
In this document, we show you how to use the MobilePASS authenticator and assign it to the user named user1 with the manual provision option. 1. From the user1 detail page, select the module Tokens and click Provision. 2. Select MobilePASS as the Authentication Type. 3. An email will sent to the mail address that you defined when you created the user1 user. Open the email and follow the link to enroll your MobilePASS token.
4. In this example, we enroll MobilePASS token with user1 successfully. Add WatchGuard Firebox as an Authentication Node in SAS You must add a RADIUS entry in the SAS Authentication Nodes module so that it can receive RADIUS authentication requests from your Firebox. To do this, you need the IP address of your Firebox and the shared secret to be used by both SAS and the Firebox. To add an Authentication Node in SAS: 1. Log in to the SAS console with an Operator account and password. 2. Select the COMMS tab and select the module Auth Nodes.
3. In the Auth Nodes module, click the Auth Nodes link. 4. Click Add. 5. In the Add Auth Nodes section, complete the fields shown below. Auth Node Name Type a name to describe this authentication node Type the name of the host that will authenticate with SAS. Host Name Type the IP address of the host that will authenticate with SAS. This Low IP Address In Range is the Firebox IP address that Mobile VPN with SSL clients connect to, which is usually the primary IP address of the Firebox external interface. Select the check box to enable this option. Configure FreeRADIUS Synchronization Type the shared secret. Shared Secret Re-type the shared secret to confirm it. Confirm Shared Secret
6. Click Save. The Auth Node is added to the system. Configure the Firebox In this example, we use the Fireware Web UI to configure our Firebox. You can also use Policy Manager to complete these steps. Configure the Firebox to use RADIUS server authentication To authenticate with SAS, you must enable the RADIUS server on the Firebox. 1. Log in to Fireware Web UI at https://<ip address of Firebox>:8080. 2. Select Authentication > Servers > RADIUS.
3. Select the Enable RADIUS Server check box. 4. In the IP Address text box, type the IP address of the SAS. 5. In the Port text box, type the port used in SAS for RADIUS authentication. The default is port 1812. 6. In the Passphrase and Confirm text boxes, type the shared secret you configured for the Auth Node on SAS. 7. Click Save.
Add Users On the Firebox, add a new user to log in to the RADIUS server. 1. Select Authentication > Users and Groups. 2. Click Add. 3. Select User. 4. In the Name text box, type the same user name you created on the SAS. 5. From the Authentication Server drop-down list, select RADIUS. 6. Click OK. The user is added to the Users and Groups list on the Firebox. 7. Click Save. Configure Mobile VPN with SSL with RADIUS Authentication To use RADIUS authentication for user connections with the Mobile VPN with SSL client, enable Mobile VPN with SSL and configure it to use RADIUS for authentication. 1. Select VPN > Mobile VPN with SSL. 2. Select the Activate Mobile VPN with SSL check box. 3. In the Primary text box, type the IP address to which Mobile VPN with SSL clients will connect. This is an IP address of the Firebox. 4. Select the Authentication tab.
5. Select the check box next to RADIUS (Default) to use the RADIUS authentication server. 6. Click SAVE. Test the Integration To test the integration, we use Mobile VPN with SSL to test user authentication. Mobile VPN with SSL client software download from Firebox 1. Browse to the SSL VPN web portal. The IP address is: https://<ip of Firebox>:4100/sslvpn.html. 2. In the Username text box, type the user name of a user defined on the SAS.
3. In the Password text box, type the password. The password is a passcode. In our example, we use the MobilePASS to generate a passcode, and then type it in this field. 4. If necessary, from the Domain drop-down list, select RADIUS. 5. Click Login. 6. The next authentication page will appear if this user is authenticated. 7. Type the passcode again after you generate a new passcode on MobilePASS.
8. Click Apply. After successful authentication, the download page appears. You can now download the appropriate version of the VPN client for your operating system. Mobile VPN with SSL Client Authentication After you download and install the Mobile VPN with SSL client on your computer, you can use the same authentication process to connect to the Firebox with the SSL VPN client.