Configuring the Watchguard Edge for RADIUS authentication



Similar documents
Configuring Internet Authentication Service on Microsoft Windows 2003 Server

How to set up Outlook Anywhere on your home system

Access to Webmail services via a Non Trust Computer

Juniper Networks SSL VPN Implementation Guide

Using SonicWALL NetExtender to Access FTP Servers

Hosted Microsoft Exchange Client Setup & Guide Book

Hosted Microsoft Exchange Client Setup & Guide Book

Application Note. Setting up RADIUS authentication on Opengear devices using Windows 2003 Internet Authentication Service

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Configuring Global Protect SSL VPN with a user-defined port

MultiSite Manager. Setup Guide

Check Point FW-1/VPN-1 NG/FP3

netld External Authentication Setup Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide

Page 1 of 11. Setting up VPN on Windows XP. Setting up VPN on Windows XP version 1.2

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

MultiSite Manager. Setup Guide

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

SSL VPN Setup for Windows

Configuration for Microsoft Windows 7 Enterprise Edition

Defender Token Deployment System Quick Start Guide

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Professional Mailbox Software Setup Guide

IIS, FTP Server and Windows

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

How to Use Certificates for Additional Security

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

UBC Digital Signage Service: CoolSign 5.0 Initial Set- up Guide

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Accessing the Media General SSL VPN

Security Provider Integration RADIUS Server

RSA SecurID Ready Implementation Guide

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Microsoft IAS and NPS Agent Configuration Guide

Fireware How To Authentication

Integrating with IBM Tivoli TSOM

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Comtrend 1 Port Router Installation Guide CT-5072T

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

EMR Link Server Interface Installation

Cisco VPN Concentrator Implementation Guide

NovaBACKUP xsp Version 15.0 Upgrade Guide

How to Join QNAP NAS to Microsoft Active Directory (AD)

Juniper SSL VPN Authentication QUICKStart Guide

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

MTS Remote Drive Service. Quick Start Guide

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Authentication Node Configuration. WatchGuard XTM

Using the ECM VPN with Windows 7

Managing Qualys Scanners

Establishing two-factor authentication with Cyberoam UTM appliances and HOTPin authentication server from Celestix Networks

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Basic Exchange Setup Guide

Accessing TP SSL VPN

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

Remote Access Technical Guide To Setting up RADIUS

How To - Implement Clientless Single Sign On Authentication with Active Directory

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

GE Measurement & Control. Remote Comms System. Installation and User Reference Guide

CruzNet Secure Set-Up Instructions for Windows Vista

Strong Authentication for Juniper Networks SSL VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

Configuring Outlook for Windows to use your Exchange

Exchange 2003 Mailboxes

Global VPN Client Getting Started Guide

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

How to Configure Web Authentication on a ProCurve Switch

How to Access Coast Wi-Fi

Massey University Wireless Network - Client

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

QUANTIFY INSTALLATION GUIDE

Basic Exchange Setup Guide

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

Setting up Remote Desktop

3rd Party VoIP Phone Setup Guide (Panasonic UT )

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Installation Troubleshooting Guide

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Outlook 2010

3rd Party VoIP Phone Setup Guide (Panasonic b)

Configuring SSL VPN on the Cisco ISA500 Security Appliance

SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Transcription:

Watchguard Edge and the CRYPTOCard CRYPTO-MAS hosted RADIUS authentication service Mark Slater 6 th December 2008 Problem Watchguard introduced RADIUS authentication into their Edge range of firewall appliances starting with version 10 of the firmware. The Watchguard Edge will only forward RADIUS authentication requests if the RADIUS username it receives is in the format of domain\username. The CRYPTO-MAS hosted RADIUS server expects to receive just a username and not the domain\ part of the login. The CRYPTO-MAS portal won t allow a username to be created which contains a \. Due to the above, a Watchguard Edge cannot authenticate to the CRYPTO-MAS RADIUS server. Solution Microsoft Windows 2003 Server ships with an installable service called Internet Authentication Service (IAS). As well as being able to operate as a standalone RADIUS server, IAS also has the ability to act as a RADIUS proxy, enabling RADIUS requests to be proxied onto a third party RADIUS server and then proxied back to the originating RADIUS client. One other interesting feature of IAS is that it allows the format of the RADIUS username to be modified prior to being sent on to the 3 rd party RADIUS server. In this solution we will use IAS to act as a RADIUS proxy, sitting between the Watchguard Edge and the CRYPTO-MAS RADIUS server. We will use the feature of IAS which allows modification to strip off the domain\ part of the RADIUS username sent from the Watchguard. This means that only the username part is sent to the CRYPTO-MAS RADIUS server, which can then be successfully authenticated. The RADIUS access allowed token will then be sent back to the Watchguard. This solution will require the customer to have a Windows 2003 server running on the LAN, on to which the IAS service will be installed. N.B. In Windows 2008 IAS has been renamed Network Policy Server. No testing has been done with this but it should be possible to achieve the same results. The method detailed below would also be suitable for other 3 rd party firewalls which will only accept a RADIUS username in a specific format.

Configuring the Watchguard Edge for RADIUS authentication Detailed description of VPN and RADIUS configuration can be found in the Watchguard Edge Administrators guide. Key points are: Set the RADIUS server on the Edge to point to the IP of the Windows Server, which will be running the IAS service. Choose and enter a RADIUS server secret which will be used to authenticate RADIUS requests between the Watchguard and IAS (in the example below, IAS server is on 192.200.200.101). Create a group for your VPN users (choose a suitable name). Make a note, as this will be used when configuring the CRYPTO-MAS portal.

Installing and Configuring Internet Authentication Server IAS is installed by going into Add/Remove programs and clicking on Add/Remove Windows Components. Highlight Networking Services, click the Details button and then put a tick next to Internet Authentication Service. You may be prompted for your Windows 2003 server to install CD. Once installed, launch the IAS console from Administrative Tools.

Right click on RADIUS Clients and select New RADIUS Client. Enter Watchguard Edge for the friendly name, and IP address/dns name for the Watchguard Edge. Enter the RADIUS server secret as set on the Watchguard Edge (not the CRYPTO-MAS shared secret).

Select Remote Access Policies and then New Remote Access Policy Select Add on the policy conditions screen, select Client-IP-Address from the list of options and enter the Watchguard internal IP address. Select Grant Remote Access on the next screen. A new policy will be created allowing the Watchguard access. Expand Connection Request Processing and select Remote RADIUS Server Groups. Right click and select New Remote RADIUS Server Group. On the Add Servers page click Add. On the Address tab enter the IP address of the CRYPTO- MAS RADIUS server. On the Authentication\Accounting tab enter the shared RADIUS secret you have been given by CRYPTOCard. Set Authentication Port to 1812 and Accounting Port to 1813.

Ensure the tick box is selected to Start the New Connection Request Policy Wizard when this wizard closes. When the New Connection Request Policy Wizard starts, enter CRYPTO- MAS for policy name. Select Add on the policy conditions screen, select Client-Friendly-Name from the list of options and enter Watchguard Edge. Click Next and click on the Edit Policy button.

On the Authentication tab select Forward requests to the following remote RADIUS server group for authentication and select CRYPTOCard from the drop down list. If you are using RADIUS accounting tick the box on the Accounting tab and select CRYPTOCard from the drop down list. On the Attribute tab select User-Name in the Attribute drop down list and click on Add. Type domain\\ in the Find box (N.B. replace the word domain with the name of the domain the users will enter when connecting via the Watchguard VPN client). Leave the Replace With box blank. This will strip out the domain\ part of the username entered on the Watchguard VPN client prior to it being sent to the CRYPTO-MAS RADIUS server. You have now completed configuration of IAS.

Configuring the VPN Group on the CRYPTO-MAS Portal The Watchguard Edge will expect the CRYPTO-MAS portal to pass back a RADIUS attribute which contains the VPN group name you have configured on the Watchguard Edge. Log into your CRYPTO-MAS portal, click on the Group tab and select the group which your VPN users are a member of. Add a RADIUS authentication property for the property Filter-Id with a property value which matches the name of the VPN group you have created on the Watchguard. Save the property you have added. Testing the RADIUS authentication From the Watchguard Edge management interface, enter the RADIUS configuration screen and click on the Test RADIUS authentication button. Enter your CRYPTO-MAS username into the username box in the format of domain\username (where domain matches the domain you setup in the attribute filter string on IAS on the previous page). Generate a One Time Password using your CRYPTOCard token or software client, and enter it into the password box and click on Test. A successful connection should look similar to the screenshot on the left. Log In should return OK. Get group list should return OK and the name of your Watchguard VPN group.