How to add WiKID Two-factor authentication to a Watchguard Firebox

We assume that you have already installed WatchGuard Firebox . This document provides information on how to enable the Radius interface on WatchGuard Firebox to accept one-time passwords from the WiKID Strong Authentication System.

Start by adding the WiKID Strong Authentication server as a Radius server on the WatchGuard Firebox

• From the Firebox Policy Manager, select Setup | Authentication Servers.
• Select the RADIUS Server tab.
• Enter the IP address of the WiKID server, leave the port as 1812 and create a shared secret.
• Click “OK.”
• Follow the WatchGuard instructions for setting up MUVPN as usual, but choose the recently created WiKID RADIUS server as the authentication server.

On the WiKID Server, be sure to enable Radius:

• Click on the 'Configuration' tab in the WiKIDAdmin web interface.
• Click on 'Enable Protocols'
• If Radius is not Enabled, click on it.
• You should be able to leave the settings as is and click 'Initialize'.

Next we add a specific network client for the WatchGuard Firebox:

• Click on the 'Network Client' Tab
• Click on 'Create New Network' Client
• Create a name such as "WatchGuard Firebox Two-factor VPN"
• Choose a WiKID domain to the network client
• Select 'Radius' as the protocol
• Click 'Add'
• On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
• Click 'Add NC'
• From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.

That is it. Now you should have properly configured two-factor authentication for your WatchGuard Firebox VPN and Firewall. You should now be able to generate an one-time password from a Windows, Java, Blackberry, J2ME or Palm tokens and get access to your VPN.