Revised: 21 March 2016

Integration Guide

VASCO IDENTIKEY Authentication Server (IAS)

2

About This Guide

Guide Type

Documented Integration — WatchGuard or a Technology Partner has provided documentation demonstrating integration.

Guide Details

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

3

VASCO IDENTIKEY Authentication Server Integration Overview

VASCO IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. This document describes how to integrate VASCO IDENTIKEY Authentication Server with a WatchGuard Firebox. You can use the combination of these two products to set up a more secure remote connection between the outside world and your company’s internal network.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

Firebox or WatchGuard XTM device installed with Fireware v11.10.x VASCO IDENTIKEY Authentication Server version 3.9 installed on Windows Server 2012 R2.

VASCO IDENTIKEY Server supports integration into an existing environment with a RADIUS Server, Active Directory Server or LDAP Server. In this document, we use a RADIUS Server as an example. To demonstrate user authentication in this document, we use the WatchGuard Mobile VPN with SSL client.

To set up the VASCO IDENTIKEY Authentication Server, refer to the instructions in the VASCO IDENTIKEY Authentication Server Installation Guide. In this document, we describe how to configure the IDENTIKEY Authentication Server and Firebox to work together.

The figure below demonstrates the workflow described in this document.

4

1. The user initiates an authentication request to the Firebox. The user password is the static password plus the One-Time Password (OTP) shown on DIGIPASS.

2. The Firebox sends the authentication request to the IDENTIKEY Authentication Server. 3. The IDENTIKEY Authentication Server checks the password combination; if it is correct, it sends a

response to the Firebox. 4. The Firebox grants access to the user.

IDENTIKEY Authentication Server Configuration

Create a New Policy

In the Authentication Server > Policies menu you define the authentication behavior.

1. Select Policies > Create. Create a new policy

2. In the Policy ID text box, type a meaningful name for the policy, for example WatchGuardTest.

3. Click CREATE to create the new policy.

5

4. Click Edit to edit the policy settings.

5. From the Local Authentication drop-down list, select Digipass/Password. 6. Click Save.

Define the Firebox as a Client

In the Clients configuration you specify the location from which IDENTIKEY Authentication Server will accept requests and the protocol it uses. To do this, you add the Firebox as a RADIUS client.

1. Select Clients > Register.

2. To set the Client Type, click SELECT FROM LIST, then select RADIUS Client.

6

3. In the Location text box, specify the IP address of the Firebox. 4. From the Policy IP drop-down list, select the policy that you created in the Policies configuration. 5. From the Protocol ID drop-down list, select RADIUS. 6. In the Shared Secret and Confirm Shared Secret text boxes, type the shared secret.

This shared secret must match the password you configure in the RADIUS server settings on the Firebox.

7. In the Character Encoding text box, type the encoding used if required, or keep it blank. 8. Click CREATE to finish client creation.

Add Users to the IDENTIKEY Authentication Server

For a user to use IDENTIKEY for authentication, the user must be added on the IDENTIKEY Authentication Server.

1. Select Users > Create.

2. In the User ID text box, type the username to add.

7

3. In the Enter static password and Confirm static password text boxes, type the static password for this user. The user can use the static password to authenticate if there is no DIGIPASS assigned to the user. If a DIGIPASS is assigned to the user, the user’s password is a combination of the static password and the One-Time Password generated on the assigned DIGIPASS.

Assign a DIGIPASS to Users

The purpose of using an IDENTIKEY Authentication Server is to enable users to log in with One-Time Passwords (OTP). The DIGIPASS is a device that generates OTPs for the user. To enable a user to use an OTP as part of the password, you must assign a DIGIPASS to the user.

1. Click a user name to edit the user. 2. Select the Assigned DIGIPASS tab.

3. Click ASSIGN. 4. Select the DIGIPASS that was imported before from the DPX file given by VASCO.

The selected DIGIPASS is assigned to the user.

8

Firebox Configuration

This configuration procedure uses Fireware Web UI. You can also use Policy Manager to complete these steps.

Configure the RADIUS Server on your Firebox

To authenticate with IDENTIKEY Authentication Server, you must enable the RADIUS server and configure the settings on the Firebox.

1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080. 2. Select Authentication > Servers > RADIUS. 3. Select the Enable RADIUS Server check box.

4. In the IP Address text box, type the IP address of the IDENTIKEY Authentication Server. 5. In the Port: text box, type the port used in IDENTIKEY Authentication Server for RADIUS

authentication. The default is port 1812. 6. In the Passphrase and Confirm text boxes, type the shared secret you configured for the RADIUS

client on the IDENTIKEY Authentication Server. 7. Click Save.

9

Add Users

On the Firebox, add a new user to log in to the RADIUS server.

1. Select Authentication > Users and Groups. 2. Click Add.

3. Select User. 4. In the Name text box, type the same user name you created on the IDENTIKEY Authentication Server. 5. From the Authentication Server drop-down list, select RADIUS. 6. Click OK.

The user is added to the Users and Groups list on the Firebox.

7. Click Save.

10

Configure Mobile VPN with SSL with RADIUS Authentication

To use RADIUS authentication for user connections with the Mobile VPN with SSL client, enable Mobile VPN with SSL and configure it to use RADIUS for authentication.

1. Select VPN > Mobile VPN with SSL. 2. Select the Activate Mobile VPN with SSL check box.

3. In the Primary text box, type the IP address to which Mobile VPN with SSL clients will connect. This is an IP address of the Firebox.

4. Select the Authentication tab. 5. Select the check box next to RADIUS (Default) to use the RADIUS authentication server.

11

Test the Integration

To test the integration, we use Mobile VPN with SSL to test user authentication.

Mobile VPN with SSL client software download from Firebox

1. Browse to the SSL VPN web portal. The IP address is: https://<IP of Firebox>:4100/sslvpn.html.

2. In the Username text box, type the user name of a user defined on the IDENTIKEY Authentication Server.

3. In the Password text box, type the password. The password is a combination of the static password for the user configured on IDENTIKEY Authentication Server plus the One-Time Password (OTP) shown on the screen of the DIGIPASS assigned to the user. For example, if the static password is “password” and the OTP at the time is “123456”, the user must type the password “password123456”.

4. If necessary, from the Domain drop-down list, select RADIUS. 5. Click Login.

After successful authentication, the download page appears.

12

You can now download the appropriate version of the VPN client for your operating system.

Mobile VPN with SSL Client Authentication

After the user downloads and installs the VPN client, the user uses the same name and password combination as described above in the WatchGuard Mobile VPN with SSL client.

1. Launch the Mobile VPN with SSL client.

2. In the Server text box, type the Firebox IP address configured in the Mobile VPN settings on the Firebox.

3. In the User name text box, type the user name configured on the IDENTIKEY Authentication server. 4. In the Password text box, type the password. The password is a combination of the static password

for the user configured on IDENTIKEY Authentication Server plus the One-Time Password (OTP) shown on the screen of the DIGIPASS assigned to the user.

5. Click Connect. The Mobile VPN with SSL client shows the status Connected.