Okta and Firebox Mobile VPN with IPSec Integration Guide (2024)

Table of Contents
Deployment Overview Integration Summary Topology Before You Begin Configure the Firebox Configure RADIUS Authentication Configure Mobile VPN with IPSec Configure Okta Configure Multifactor Add an Okta Group and User Configure RADIUS Application Test the Integration References

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to set up multi-factor authentication (MFA) for Mobile VPN with IPSec. Your WatchGuard Firebox must already be configured and deployed before you set up MFA with Okta.

Your WatchGuard Firebox can be configured to support MFA in several modes. For this integration, we set up RADIUS with Okta.

For RADIUS authentication, users can authenticate with a push notification or a time-based one-time password (TOTP). The steps in this integration guide are for both authentication methods.

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.7.1
  • Okta RADIUS Server Agent 2.15.1 or higher

Topology

This topology diagram shows the data flow for multi-factor authentication with a WatchGuard Firebox and Okta.

See Also
Okta and Firebox Mobile VPN with SSL Integration GuideDetecting Scatter Swine: Insights into a Relentless Phishing CampaignHy-Vee, Inc. hiring Retail Pharmacy Intern in Ankeny, Iowa, United States | LinkedInTribe of Mentors – Tim Ferris – Marcus Faust

Okta and Firebox Mobile VPN with IPSec Integration Guide (1)

Before You Begin

Before you begin, make sure that:

  • A token is assigned to a user in Okta Verify
  • You have installed and configured the Okta RADIUS Server Agent

Configure the Firebox

You must configure the RADIUS authentication settings and enable Mobile VPN with IPSec on your Firebox.

Configure RADIUS Authentication

When a user authenticates with Okta MFA, Okta does not send a response to the Firebox until the user approves the push notification or until the push authentication expires.

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page opens.

Okta and Firebox Mobile VPN with IPSec Integration Guide (2)

  1. From the Authentication Servers list, click RADIUS.
    The RADIUS page opens.
  2. Click Add.
    The Add page opens.
  3. In the Domain Name text box, type the domain name for this RADIUS server. Users must specify this domain name on the user login page. You cannot change the domain name after you save the settings.
  4. In the Primary Server Settings section, select the Enable RADIUS Server check box.
  5. In the IP Address text box, type the IP address of the RADIUS server (the Okta RADIUS Server Agent).
  6. In the Port text box, keep the default port setting of 1812. This is the default port used for communication with the RADIUS server (the Okta RADIUS Server Agent).
  7. In the Shared Secret and Confirm Secret text boxes, type a shared secret key. This key is used to communicate with the RADIUS server (the Okta RADIUS Server Agent).
  8. In the Timeout text box, type 60.
  9. Keep the default value for Group Attribute.

Okta and Firebox Mobile VPN with IPSec Integration Guide (3)

  1. Click Save.

Configure Mobile VPN with IPSec

  1. Select VPN > Mobile VPN.
  2. In the IPSec section, click Configure.

Okta and Firebox Mobile VPN with IPSec Integration Guide (4)

  1. Click Add to add a new group.
  2. In the Name text box, type a group name that matches the name of the Okta group or Active Directory group the your users belong to.
  3. From the Authentication Server drop-down list, select the authentication server that you created. In our example, the server name is Radius-Server.
  4. In the Passphrase and Confirm text boxes, type a passphrase to encrypt the mobile VPN profile (.wgx file) that you distribute to users in this group. The passphrase can include only standard ASCII characters. If you use a certificate for authentication, this passphrase is also used to encrypt the exported certificate file you send to users.
  5. In the Primary text box, type the external IP address of the Firebox that the VPN client connects to.

Okta and Firebox Mobile VPN with IPSec Integration Guide (5)

  1. Select the Resources tab.
  2. Select the Allow All Traffic Through Tunnel check box.

Okta and Firebox Mobile VPN with IPSec Integration Guide (6)

  1. In the Virtual IP Address Pool section, click Add.
  2. From the Choose Type drop-down list, select Host Range IPv4.
  3. In the From and To text boxes, type a range for your virtual IP addresses. The range should be in your interface range. The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
  4. Click OK.

Okta and Firebox Mobile VPN with IPSec Integration Guide (7)

  1. Click Save.
  2. In the Groups list, select the group.
  3. From the Client drop-down list, select WatchGuard Mobile VPN.
  4. Click Generate and save the <group name>.ini file.

Okta and Firebox Mobile VPN with IPSec Integration Guide (8)

Configure Okta

Configure Multifactor

  1. Log in to the Okta Admin Console.
  2. Select Security > Multifactor > Factor Types > Okta Verify.
  3. Set the status to Active.
  4. In the Okta Verify Settings section, click Edit.
  5. Select the Enable Push Notification check box.
  6. (Optional) Select the Require Touch ID or Face ID for Okta Verify (only on iOS) check box.
  7. Click Save.

Okta and Firebox Mobile VPN with IPSec Integration Guide (9)

  1. Select the Factor Enrollment tab.
  2. Select the Default Policy and click Edit.
  3. From the Okta Verify drop-down list, select Required.
  4. Click Update Policy.

Okta and Firebox Mobile VPN with IPSec Integration Guide (10)

Add an Okta Group and User

  1. Select Directory > Groups > Add Group.
  2. In the Name text box, type a group name.

Okta and Firebox Mobile VPN with IPSec Integration Guide (11)

  1. Click Add Group.
  2. To add a user in Okta, select Directory > People > Add Person.
    You can add your own user information.

Okta and Firebox Mobile VPN with IPSec Integration Guide (12)

  1. Click Save.

You can import users and groups from Active Directory to Okta. For information about how to import, see the Okta documentation.

Configure RADIUS Application

  1. Select Applications > Applications > Browse App Catalog.

Okta and Firebox Mobile VPN with IPSec Integration Guide (13)

  1. In the Browse App Integration Catalog section, search for RADIUS Application and click Add.
  2. In the Application label text box, type a description name.

Okta and Firebox Mobile VPN with IPSec Integration Guide (14)

  1. Click Next.
  2. In the UDP Port text box, type 1812.
  3. In the Secret Key text box, type the shared secret key. This is the password that the RADIUS server (the Okta RADIUS Server Agent ) and the RADIUS client (the Firebox) will use to communicate.
  4. From the Application username format drop-down list, select the appropriate user name format. In our example, we select Email.
  5. Keep the default values for all other settings.

Okta and Firebox Mobile VPN with IPSec Integration Guide (15)

  1. Click Done.
  2. Select the Sign On tab.
  3. In the Advanced RADIUS Settings section, click Edit.

Okta and Firebox Mobile VPN with IPSec Integration Guide (16)

  1. In the Groups Response section, select the Include groups in RADIUS response check box.
  2. From the RADIUS attribute drop-down list, select 11 Filter-Id.
  3. In the Group memberships to return text box, type and select the group.

Okta and Firebox Mobile VPN with IPSec Integration Guide (17)

  1. (Optional) In the Authentication section, select the Accept password and security token in the same login request check box.
  2. (Optional) Select the Permit Automatic Push for Okta Verify Enrolled Users check box.
  3. (Optional) Select the Send Access-Challenge for MFA-only logins check box.
  4. (Optional) Select the Enable UPN or SAM account Name Login check box.
  5. Keep the default values for all other settings.

Okta and Firebox Mobile VPN with IPSec Integration Guide (18)

  1. Click Save.
  2. Select the Assignments tab.
  3. Select Assign > Assign to Groups.
    If you select to Assign to People, the user must belong to the group you configured in the Groups Response section.
  4. Select the group and click Assign.
  5. Click Done.

Okta and Firebox Mobile VPN with IPSec Integration Guide (19)

The default RADIUS session timeout sent by the Okta RADIUS agent is 60 seconds, and the VPN connection might be disconnected within two minutes. To solve this problem, you can add the ragent.mfa.timeout.seconds parameter to the Okta RADIUS agent config.properties file. For information about how to configure the parameter, see Configure properties in the Okta documentation.

Test the Integration

To test the integration of Okta and WatchGuard Mobile VPN with IPSec, you authenticate with a mobile token on your mobile device. For RADIUS resources, you can authenticate with a time-based one-time password (TOTP) or a push notification.

To authenticate with push:

  1. Open your WatchGuard Mobile VPN with IPSec client.
  2. Select Configuration > Profiles and import the <group name>.ini config file. This is the file you generated at the end of the Configure Mobile VPN with IPSec section.
  3. Click Add / Import.
  4. Select Profile Import.
  5. Click Next.
  6. Select your file.
  7. Click Next to finish.
  8. Select your profile as default.
  9. Click OK.
  10. Select Connection > Connect.
  11. Type your Okta user name and password.
  12. Click OK.

Okta and Firebox Mobile VPN with IPSec Integration Guide (20)

  1. Type 1.
  2. Click OK.
  3. Approve the authentication request that is sent to your mobile device.
    You are connected successfully.

Okta and Firebox Mobile VPN with IPSec Integration Guide (21)

To authenticate with a TOTP:

  1. Open your WatchGuard Mobile VPN with IPSec client.
  2. Select Connection > Connect.
  3. Type your Okta user name and password.
  4. Click OK.

Okta and Firebox Mobile VPN with IPSec Integration Guide (22)

  1. Type the passcode shown in the Okta Verify mobile app.
  2. Click OK.
    You are connected successfully.

Give Us FeedbackGet SupportAll Product DocumentationTechnical Search

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

Okta and Firebox Mobile VPN with IPSec Integration Guide (2024)

References

Top Articles
VetJobs - The Leading Military Job Board - Medline Industries, Inc. Careers - Jobs in United States
Wat te doen aan de TikTok-rijen?
Ah Yoga Springfield Il
Xnxj Personality Type Test 2020
Stinger Select Ssgm11 Wiring Diagram
1990 ford mustang for sale by owner - Phillipsburg, NJ - craigslist
Melvor Dungeon Guide
Thousands of North Carolinians now eligible for COVID-19 booster
Trizzle Aarp
Prisma Health Badge Office
1988 ford F250 diesel custom for sale by owner - Portland, OR - craigslist
Cash paid for diesel or gas Rv or any type of trailer - any cond - wanted - by dealer - sale - craigslist
Latest Posts
A Guide To Privacy And Consent ·
Medline Industries, LP hiring Warehouse Manager in McDonough, GA | LinkedIn
Article information

Author: Velia Krajcik

Last Updated:

Views: 6155

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Velia Krajcik

Birthday: 1996-07-27

Address: 520 Balistreri Mount, South Armand, OR 60528

Phone: +466880739437

Job: Future Retail Associate

Hobby: Polo, Scouting, Worldbuilding, Cosplaying, Photography, Rowing, Nordic skating

Introduction: My name is Velia Krajcik, I am a handsome, clean, lucky, gleaming, magnificent, proud, glorious person who loves writing and wants to share my knowledge and understanding with you.