# Watchguard SSL VPN Integration ## General Overview This guide explains the configuration of multi-factor authentication (MFA) for Mobile VPN utilizing SSL with local users, LDAP and Active Directory users, and Azure Active Directory users. Prior configuration and deployment of WatchGuard Firebox are required before setting up MFA with Mirket. For RADIUS authentication, users have the option to authenticate using a push notification or a one-time password (OTP). When configuring the authentication policy in Mirket, you can select the preferred authentication method for users. The steps provided in this integration guide apply to both authentication options. This integration was tested with version v12.7 of Fireware. ## Preparation Steps Before proceeding with these procedures, ensure the following: * If you have Fireware v12.6.7 or an earlier version, we recommend completing the installation and configuration of Mirket (go to"[Mirket Installation Steps](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-installation/mirket-installation-steps.md)" ). ## Configuring Mirket MFA for Firebox Mobile VPN with SSL The steps for configuring Mirket and your Firebox vary depending on the version of Fireware you have. Follow the instructions in this section to set up Mirket MFA for Active Directory users utilizing Mobile VPN with SSL specifically designed for Fireware v12.6.x and earlier. ### Configuring Firebox To proceed, configure the RADIUS authentication settings and activate Mobile VPN with SSL on your Firebox. #### **RADIUS Authentication Configuration** Mirket delays sending a response to the Firebox until the user approves the push notification or until the push authentication expires. During the configuration of the RADIUS authentication server, ensure that the Timeout value exceeds the push timeout duration set in Mirket, which is typically 60 seconds. By default, if a user fails to approve the push notification within 30 seconds, the Firebox might shift to another server, even if the current server is operational. * Access the Fireware Web UI (https\://\:8080) * Go to **Authentication > Servers**.
* Then click on the **RADIUS** option in the **Authentication Servers** list. Then click on **Add**. * Enter the domain name for this RADIUS server in the **Domain Name** field. **Warning**: Users are required to specify this domain name on the user login page. The domain name cannot be altered once the settings are saved. * Check the "**Enable RADIUS Server**" checkbox in the **Primary Server Settings** section. * Input the IP address of the Mirket (RADIUS server) into the **IP Address** field. * Input **1812** for communication with the Mirket (Radius Server) in the **Port** field. Also, you can use different ports to communicate. * Input a shared secret key to communicate with the RADIUS server (Mirket Radius) in the **Shared Secret** and **Confirm Secret** fields. In Mirket use this same secret key when [configuring a RADIUS client resource](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules/radius-clients.md). * Input **60** in the **Timeout** field. Then, keep the **Retries**, **Dead Time**, and **Group Attribute** settings at their default values. * Click on **Save** to confirm settings.
#### Configuring Mobile VPN with SSL * Go to **VPN > Mobile VPN**. Then click on the **Manually Configure** option in the **SSL** section.
* Check the **Activate Mobile VPN with SSL** checkbox. * Input the external IP address or domain name of the Firebox in the **Primary** field. This represents the default IP address or domain name used for connections by Mobile VPN with SSL clients. * Click on **Save** to confirm settings. When you click on the **Save** option, a default SSLVPN-Users user group is added upon saving your changes.
* Select the **Authentication** tab. Then choose the authentication server you created previously from the **Authentication Server** dropdown list and click on **Add**. * Choose your authentication server in the **Authentication Server** list and click on **Move Up** to position it at the top of the list, making it the default authentication server. **Note:** If you've set up a Mobile VPN with SSL and wish to exclusively test Mirket MFA, avoid designating your authentication server as the default.
* Choose the authentication server you created previously from the **Create new** dropdown list, in the **Users and Groups** section. * Choose the **Group** option from the **adjacent** dropdown list. Then click on **Add** to add group to authenticate. * Choose the **Group** option in the **Type** field. Then enter a group name in the **Name** field. The group name should be an exact match to the Mirket group your users are associated with. This is case-sensitive. * Choose your authentication server from the **Authentication Server** dropdown list.
* Then click on **Save** to confirm settings. * Check the group you created previously checkbox in the **Users and Groups** list. Then click on **Save** to confirm settings. ### Configure Mirket To enable Mirket to receive authentication requests from Firebox, follow these steps: * Define Firebox as a RADIUS client resource within Mirket. * Create an authentication policy for the Firebox RADIUS client resource or include it in an existing authentication policy. * Attach the Firebox resource to the Mirket Radius. ### Add a Firebox as Resource in Mirket with Mirket Radius Gateway Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps: * First, navigate to the directory `C:\MirketRadius` and open the `config.json` file.
* Fill in the gateway and radiusClientList fields according to the provided specifications to ensure accurate and secure network configuration. * **samName**: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'. * **authenticationPort**: Enter the authentication port value you set for the gateway. The default value is 1812. * **accountingPort**: Enter the accounting port value you specified for the gateway. The default value is 1813. * **gatewayIp**: Enter the IP address of the server where the Mirket is installed. * **ipAddress**: Enter the IP address of your firewall. * **secretKey**: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.
* Once you've made the necessary changes to the config.json file, save and close it. **Note**: You can add multiple RADIUS clients. * After completing the configuration, restart the 'Mirket Radius Gateway Service'.
### User and Group configuration on Mirket To set up multifactor authentication, make sure you have at least one user group in Mirket. If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group. * [Create a Local Group to add users manually.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-group-configuration.md) * [Add local Mirket users manually.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-users-configuration.md) If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket. * [Create a LDAP group to include LDAP users.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-group-configuration.md) * [Sync users from an external user database.](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-users.md) ### Create an Authorization Profile on Mirket After authentication, in scenarios requiring authorization (Example: Sending group name to the Radius client in SSL VPN), you can complete the process by creating an authorization profile in Mirket and selecting the created profile in Radius rules. The following steps should be followed to create an authorization profile: * Select **Authorization Profiles**. * Click on **Add New**. * Enter an authorization profile name in the **Name** field. * Select the attribute type as "**FilterId**" from the **Attribute Type** dropdown list. * Enter the group to be granted authorization in the **Value** field. Please ensure that the value is the same as the group name you specify in Firebox Watchguard. * Click on **Save** to confirm settings.
### Add a Radius Rules to Mirket Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.). First, you should follow these steps: * Select **Rules > Radius Rules**. * Click on **Add New**. * Enter a rule name in the **Name** field. * Enter the rule description in the **Description** field. * Select the group to which the rule applies from the **Group** dropdown list. * Select the provider to which the rule applies from the **Provider** dropdown list. * Select the authorization profile to which the rule applies from the **Authorization** dropdown list. * Click on **Save** to confirm settings.
### Test the Integration To validate the integration between Mirket MFA and your WatchGuard Firebox, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication. **Note:** When configuring Mobile VPN with SSL to utilize multiple authentication servers, users not utilizing the default authentication server need to specify the authentication server or domain before entering the username. In this example, we illustrate the use of the Approve/Deny authentication method. * Launch your Mobile VPN with SSL client. * Enter your Mirket username and password. * Then, select the '**Approve**' option(found in the Mirket mobile app) immediately and make sure it doesn't time out. #### Related Topics [Radius Clients](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules/radius-clients.md) [Radius Rules](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/rules/radius-rules.md) [Local Group Configuration](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-group-configuration.md) [Local Users Configuration](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/local-users-configuration.md) [LDAP Group Configuration](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-group-configuration.md) [LDAP Users](/mirket-help-center/mirket-help-center/mirket-on-premise/mirket-admin-panel/user-management/ldap-users.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mirketsecurity.com/mirket-help-center/mirket-help-center/mirket-on-premise/integrations/watchguard-ssl-vpn-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.