Integration Guide LoginTC Revised: 21 November 2016
About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. 2 LoginTC Integration Guide
LoginTC Integration Overview LoginTC provides cloud-based authentication through the RADIUS protocol. This document describes how to integrate LoginTC two-factor authentication with a WatchGuard Firebox and the WatchGuard Mobile VPN with SSL client. Test Topology Platform and Software The hardware and software used to complete the steps outlined in this document include: Firebox with Fireware v11.11.4 installed LoginTC Radius Connector 2.3.0 LoginTC Integration Guide 3
Configure LoginTC Cloud RADIUS Domain Creation To create a LoginTC domain for your RADIUS connector: 1. Log in to LoginTC Admin. 2. Click Domains. 3. Click Create your first domain. The Create Domain page appears. 4. In the Name text box, type the domain name. 5. In the Connector section, click RADIUS. 6. In the Key Policy section, click PIN. 4 LoginTC Integration Guide
Install Radius Connector 1. You can download the Radius Connector from the LoginTC website at https://www.logintc.com/docs/downloads/radius-connector.html. LoginTC Integration Guide 5
2. Unzip the file and import it on your server. The LoginTC RADIUS Connector Configuration console appears. 3. In the Password and Confirm Password text boxes, type the LoginTC user password. 4. In the Appliance Options menu, select Network Configuration. 6 LoginTC Integration Guide
5. In the Network Configuration section, type the IP address. 6. Select DNS Configuration. 7. Type the DNS address. LoginTC Integration Guide 7
8. Select Web Server, and then select Start. It can take 30 60 seconds for the web server to start the first time. 8 LoginTC Integration Guide
9. After the web server starts, access the web interface with the URL that appears in the Notice box. LoginTC Integration Guide 9
Configure the RADIUS Connector 1. Connect to your LoginTC RADIUS Connector URL. 2. To configure the LoginTC RADIUS Connector, type the username and password. In our example, we use logintc-user as the user name. 3. To create your configuration, click Create. 4. To configure the LoginTC organization and domain to use, type the API key and domain ID. 5. Click Test. 6. Click Next. 10 LoginTC Integration Guide
7. Select the first authentication factor to use with LoginTC. In our example, we select RADIUS. 8. In the Host text box, type the RADIUS server IP address. 9. To specify an optional, non-standard port number for your RADIUS server, type the port number in the Port text box. 10. In the Secret text box, type the shared secret used by the RADIUS server and the LoginTC RADIUS Connector. 11. Click Test. 12. Click Next. LoginTC Integration Guide 11
13. To specify which users are challenged with LoginTC, select Static List. 14. In the LoginTC challenge users text box, type one or more user names. In our example, we use tang as our authentication user. 12 LoginTC Integration Guide
15. To configure the RADIUS client, type the RADIUS client name, IP address, and secret. 16. Click Test to validate the values and then click Save. LoginTC Integration Guide 13
Test RADIUS Connector 1. Log in to LoginTC Admin. 2. Select Domains. 3. Select your domain. 4. Click Create Member. The Create User page appears. 5. In the Personal Details section, type the user name, name, and email address of the user. In our example, we specify the user name tang. 6. Click Create. 7. Click Issue Token. 14 LoginTC Integration Guide
8. Start your LoginTC mobile app and type the 10-character alphanumeric activation code. Lock the token with a PIN. 9. After you load a token for the new user and domain, connect to the RADIUS Connector URL. 10. Click Test Configuration. LoginTC Integration Guide 15
11. Enter a valid user name and password. Click Test Configuration. A simulated authentication request is sent to the LoginTC mobile app. 12. Approve the request to continue. 16 LoginTC Integration Guide
Configure the WatchGuard Firebox To configure your Firebox for RADIUS authentication: 1. Connect to your Firebox with Fireware Web UI. 2. Select Authentication > Servers > RADIUS. The RADIUS configuration page appears. 3. Type the RADIUS Connector IP address, port number, and passphrase. 4. Click Save. 5. Select VPN > Mobile VPN with SSL. 6. Select Activate Mobile VPN with SSL. 7. In the Primary text box, type the Firebox IP address. LoginTC Integration Guide 17
8. Select the Authentication tab. 9. Select RADIUS. 18 LoginTC Integration Guide
10. To add an SSLVPN-user, click Add. The Add User or Group dialog box appears. 11. Select User. 12. Type the user name. 13. In the Authentication Server list, choose RADIUS. 14. Click OK. 15. Click Save. Test the Integration To test the integration, we use Mobile VPN with SSL. To download and configure the Mobile VPN with SSL client software from the Firebox: 1. Go to the SSL VPN web portal at https://< Firebox IP address> LoginTC Integration Guide 19
2. In the Username text box, type the user name that you specified in LoginTC. 3. In the Password text box, type the password that you specified in LoginTC. 4. From the Domain drop-down list, select RADIUS. If RADIUS is the only authentication method that you specified for Mobile VPN with SSL, the Domain drop-down list does not appear. 5. Click Login. Your LoginTC mobile app receives an authentication request. 6. In your LoginTC mobile app, click Approve, and type your four-digit PIN. 20 LoginTC Integration Guide
7. After successful authentication, the download page appears. 8. Download the appropriate version of the VPN client for your operating system. Mobile VPN with SSL Client Authentication After you download and install the Mobile VPN with SSL client on your computer, you can use the same authentication process to connect to the Firebox with the Mobile VPN with SSL client. LoginTC Integration Guide 21