Watchguard SSL VPN Integration

General Overview

This guide explains the configuration of multi-factor authentication (MFA) for Mobile VPN utilizing SSL with local users, LDAP and Active Directory users, and Azure Active Directory users. Prior configuration and deployment of WatchGuard Firebox are required before setting up MFA with Mirket.

For RADIUS authentication, users have the option to authenticate using a push notification or a one-time password (OTP). When configuring the authentication policy in Mirket, you can select the preferred authentication method for users. The steps provided in this integration guide apply to both authentication options.

This integration was tested with version v12.7 of Fireware.

Preparation Steps

Before proceeding with these procedures, ensure the following:

If you have Fireware v12.6.7 or an earlier version, we recommend completing the installation and configuration of Mirket (go to"Mirket Installation Steps" ).

Configuring Mirket MFA for Firebox Mobile VPN with SSL

The steps for configuring Mirket and your Firebox vary depending on the version of Fireware you have. Follow the instructions in this section to set up Mirket MFA for Active Directory users utilizing Mobile VPN with SSL specifically designed for Fireware v12.6.x and earlier.

Configuring Firebox

To proceed, configure the RADIUS authentication settings and activate Mobile VPN with SSL on your Firebox.

RADIUS Authentication Configuration

Mirket delays sending a response to the Firebox until the user approves the push notification or until the push authentication expires.

During the configuration of the RADIUS authentication server, ensure that the Timeout value exceeds the push timeout duration set in Mirket, which is typically 60 seconds. By default, if a user fails to approve the push notification within 30 seconds, the Firebox might shift to another server, even if the current server is operational.

Access the Fireware Web UI (https://<your firebox IP address>:8080)
Go to Authentication > Servers.

Then click on the RADIUS option in the Authentication Servers list. Then click on Add.
Enter the domain name for this RADIUS server in the Domain Name field. Warning: Users are required to specify this domain name on the user login page. The domain name cannot be altered once the settings are saved.
Check the "Enable RADIUS Server" checkbox in the Primary Server Settings section.
Input the IP address of the Mirket (RADIUS server) into the IP Address field.
Input 1812 for communication with the Mirket (Radius Server) in the Port field. Also, you can use different ports to communicate.
Input a shared secret key to communicate with the RADIUS server (Mirket Radius) in the Shared Secret and Confirm Secret fields. In Mirket use this same secret key when configuring a RADIUS client resource.
Input 60 in the Timeout field. Then, keep the Retries, Dead Time, and Group Attribute settings at their default values.
Click on Save to confirm settings.

Configuring Mobile VPN with SSL

Go to VPN > Mobile VPN. Then click on the Manually Configure option in the SSL section.

Check the Activate Mobile VPN with SSL checkbox.
Input the external IP address or domain name of the Firebox in the Primary field. This represents the default IP address or domain name used for connections by Mobile VPN with SSL clients.
Click on Save to confirm settings. When you click on the Save option, a default SSLVPN-Users user group is added upon saving your changes.

Select the Authentication tab. Then choose the authentication server you created previously from the Authentication Server dropdown list and click on Add.
Choose your authentication server in the Authentication Server list and click on Move Up to position it at the top of the list, making it the default authentication server. Note: If you've set up a Mobile VPN with SSL and wish to exclusively test Mirket MFA, avoid designating your authentication server as the default.

Choose the authentication server you created previously from the Create new dropdown list, in the Users and Groups section.
Choose the Group option from the adjacent dropdown list. Then click on Add to add group to authenticate.
Choose the Group option in the Type field. Then enter a group name in the Name field. The group name should be an exact match to the Mirket group your users are associated with. This is case-sensitive.
Choose your authentication server from the Authentication Server dropdown list.

Then click on Save to confirm settings.
Check the group you created previously checkbox in the Users and Groups list. Then click on Save to confirm settings.

Configure Mirket

To enable Mirket to receive authentication requests from Firebox, follow these steps:

Define Firebox as a RADIUS client resource within Mirket.
Create an authentication policy for the Firebox RADIUS client resource or include it in an existing authentication policy.
Attach the Firebox resource to the Mirket Radius.

Add Firebox as a Resource in Mirket with Radius Gateway

Before starting, ensure that you have installed Mirket Radius Gateway from the Configuration > Gateway. To add a Radius Gateway to the Mirket, follow these steps:

Go to Configuration > Gateway and click on the Add Radius Gateway button.
On the displayed screen, enter a name for your Radius Gateway in the Name field.
Enter the SAM value of the gateway in the Sam Value field. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls.
Enter the IP address of the server where the gateway is installed in the Host IP Address field.
Enter the authentication port value you set for the gateway in the Auth Port field. The default value is 1812.
Enter the accounting port value you specified for the gateway in the Acc Port field. The default value is 1813. Note: After completing these fields, you must create a RADIUS client for the newly created RADIUS Gateway.
Click on the Add Radius Client option at the bottom of the displayed screen.
Enter a name for your Radius Client in the Radius Client field.
Enter the IP address of the client(firewall) that will communicate with the gateway in the IP Address field.
Enter the secret key that the client will communicate with the gateway in the Secret Key field.

Click on the Save button to confirm the settings.

Configuring Radius Gateway

After creating the Radius Gateway, click on the Download > Config from the menu on the right side of the gateway.

This option will generate a script related to the gateway, which will be displayed from the RADIUS Setup config file. The config file will automatically begin downloading once this option is selected.

Replace the existing config file in the "C:\MirketRadius" directory with the downloaded file. Alternatively, copy the displayed script and paste it into the config file in "C:\MirketRadius".

Then, restart the Mirket Radius Service.

You can check whether the Radius Gateway you created is active by navigating to Configuration > Gateway.

User and Group configuration on Mirket

To set up multifactor authentication, make sure you have at least one user or group in Mirket.

If it is preferred to use a local user, you can first create a local group and then create a local user and make the user a member of the group. Alternatively, you can create a local user without creating a local group.

If it is preferred to use LDAP users, the priority External Source is created by pulling users from Active Directory or OpenLDAP in Mirket. Note: Before proceeding, ensure that you have installed Mirket LDAP Gateway. (Refer to create LDAP Gateway.)

Add a Radius Rule to Mirket

Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP, etc.).

First, you should follow these steps:

Go to Configuration > Radius Rules.
Click on the Add Radius Rule button.
On the displayed screen, enter a name for the rule in the Name field.
Enter the rule description in the Description field.
Select the Radius Client to which the rule will apply from the Radius Client dropdown list.
Enter the source IP addresses to which the rule will apply in the Source Adress field.
Select the source countries where the rule will be applied from the Source Country dropdown list.
Click on the Next button.

Specify whether the rule will be applied to a user or a group.
After specifying, click on the Next button.

Select the users or groups to which the rule will apply. Transfer your selections to the Selected Users/Groups table by clicking the arrow icon next to the Available Users/Groups table.
Click on the Next button.

Select the time period when the rule will run.
- All: The rule will run every day.
- Recurring: The rule will run on the specified days and times.
- One Time: The rule will run within the date range you specify.
After selecting, click on the Next button.

Specify whether the user or group will be granted access based on the rule in the Action field.
Select the authentication provider to which the rule will apply from the Auth Method dropdown list.
Select the attribute type as "FilterId" from the Attribute Type dropdown list.
Enter the group to be granted authorization in the Value field. Please make sure that the value is the same as the group name you specify in Firebox Watchguard.

Click on Save to confirm the settings.

Test the Integration

To validate the integration between Mirket MFA and your WatchGuard Firebox, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.

Note: When configuring Mobile VPN with SSL to utilize multiple authentication servers, users not utilizing the default authentication server need to specify the authentication server or domain before entering the username.

In this example, we illustrate the use of the Approve/Deny authentication method.

Launch your Mobile VPN with SSL client.
Enter your Mirket username and password.
Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.