We assume that you have already installed. This document provides information on how to enable the Radius interface on WatchGuard Firebox to accept one-time passwords from the WiKID Strong Authentication System.
Update: It looks like Watchguard now requires a return attribute for Filter-ID:
The group attribute value is used to set the attribute that carries the User Group information. You must configure the RADIUS server to include the Filter ID string with the user authentication message it sends to the XTM device. For example,engineerGroup or financeGroup. This information is then used for access control. The XTM device matches the FilterID string to the group name configured in the XTM device policies.
So, you will need to add this group name under Filter-ID on the network client tab. If you have multiple groups, you can add each Filter-ID to a WIKID group and add users to each group.
Start by adding the WiKID Strong Authentication server as a Radius server on the WatchGuard Firebox:
- From the Firebox Policy Manager, select Setup | Authentication Servers.
- Select the RADIUS Server tab.
- Enter the IP address of the WiKID server, leave the port as 1812 and create a shared secret.
- Click “OK.”
- Follow the WatchGuard instructions for setting up MUVPN as usual, but choose the recently created WiKID RADIUS server as the authentication server.
On the WiKID Server, be sure to enable Radius:
- Click on the 'Configuration' tab in the WiKIDAdmin web interface.
- Click on 'Enable Protocols'
- If Radius is not Enabled, click on it.
- You should be able to leave the settings as is and click 'Initialize'.
Next we add a specific network client for the WatchGuard Firebox:
- Click on the 'Network Client' Tab
- Click on 'Create New Network' Client
- Create a name such as "WatchGuard Firebox Two-factor VPN"
- Choose a WiKID domain to the network client
- Select 'Radius' as the protocol
- Click 'Add'
- On the next page, enter the Shared Secret created above.
- Under Return Attributes, select Filter-ID and enter the proper group name. (Or configure this under the groups tab if you have more than one.)
- Click 'Add NC'
- From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.
That is it. Now you should have properly configured two-factor authentication for your WatchGuard Firebox VPN and Firewall. You should now be able to generate an one-time password from a Windows, Java, Blackberry, J2ME, iPhone, and/ or Android software tokens and get access to your VPN.