Watchguard Edge and the CRYPTOCard CRYPTO-MAS
hosted RADIUS authentication service
Mark Slater 6
thDecember 2008
Problem
Watchguard introduced RADIUS authentication into their Edge range of firewall appliances starting with version 10 of the firmware.
The Watchguard Edge will only forward RADIUS authentication requests if the RADIUS username
it receives is in the format of domain\username.
The CRYPTO-MAS hosted RADIUS server expects to receive just a username and not the domain\ part of the login. The CRYPTO-MAS portal won’t allow a username to be created which
contains a \.
Due to the above, a Watchguard Edge cannot authenticate to the CRYPTO-MAS RADIUS server.
Solution
Microsoft Windows 2003 Server ships with an installable service called Internet Authentication
Service (IAS). As well as being able to operate as a standalone RADIUS server, IAS also has the ability to act as a RADIUS proxy, enabling RADIUS requests to be proxied onto a third party RADIUS server and then proxied back to the originating RADIUS client.
One other interesting feature of IAS is that it allows the format of the RADIUS username to be
modified prior to being sent on to the 3rd party RADIUS server.
In this solution we will use IAS to act as a RADIUS proxy, sitting between the Watchguard Edge and the CRYPTO-MAS RADIUS server. We will use the feature of IAS which allows modification
to strip off the domain\ part of the RADIUS username sent from the Watchguard. This means
that only the username part is sent to the CRYPTO-MAS RADIUS server, which can then be
successfully authenticated. The RADIUS access allowed token will then be sent back to the Watchguard.
This solution will require the customer to have a Windows 2003 server running on the LAN, on to which the IAS service will be installed.
N.B. In Windows 2008 IAS has been renamed Network Policy Server. No testing has been done with this but it should be possible to achieve the same results.
The method detailed below would also be suitable for other 3rd party firewalls which will only
accept a RADIUS username in a specific format.
Configuring the Watchguard Edge for RADIUS authentication
Detailed description of VPN and RADIUS configuration can be found in the Watchguard Edge Administrators guide. Key points are:
Set the RADIUS server on the Edge to point to the IP of the Windows Server, which will be running the IAS service. Choose and enter a RADIUS server secret which will be used to authenticate RADIUS requests between the Watchguard and IAS (in the example below, IAS server is on 192.200.200.101).
Create a group for your VPN users (choose a suitable name). Make a note, as this will be used when configuring the CRYPTO-MAS portal.
Installing and Configuring Internet Authentication Server
IAS is installed by going into Add/Remove programs and clicking on Add/Remove Windows
Components. Highlight Networking Services, click the Details button and then put a tick next to Internet Authentication Service.
You may be prompted for your Windows 2003 server to install CD.
Right click on RADIUS Clients and select New RADIUS Client.
Enter Watchguard Edge for the friendly name, and IP address/DNS name for the Watchguard
Edge.
Enter the RADIUS server secret as set on the Watchguard Edge (not the CRYPTO-MAS shared secret).
Select Remote Access Policies and then New Remote Access Policy
Select Add on the policy conditions screen, select Client-IP-Address from the list of options and
enter the Watchguard internal IP address.
Select Grant Remote Access on the next screen. A new policy will be created allowing the
Watchguard access.
Expand Connection Request Processing and select Remote RADIUS Server Groups. Right
click and select New Remote RADIUS Server Group.
On the Add Servers page click Add. On the Address tab enter the IP address of the
CRYPTO-MAS RADIUS server.
On the Authentication\Accounting tab enter the shared RADIUS secret you have been given by
Ensure the tick box is selected to Start the New Connection Request Policy Wizard when this wizard closes.
When the New Connection Request
Policy Wizard starts, enter
CRYPTO-MAS for policy name.
Select Add on the policy conditions
screen, select Client-Friendly-Name
from the list of options and enter
Watchguard Edge.
Click Next and click on the Edit Policy
On the Authentication tab select Forward requests to the following remote RADIUS server group for authentication and select CRYPTOCard from the drop down list.
If you are using RADIUS accounting tick the box on the Accounting tab and select CRYPTOCard from the drop down list.
On the Attribute tab select User-Name in the
Attribute drop down list and click on Add . Type
domain\\ in the Find box (N.B. replace the word domain with the name of the domain the users will enter when connecting via the Watchguard VPN
client). Leave the ReplaceWith box blank.
This will strip out the domain\ part of the username entered on the Watchguard VPN client prior to it being sent to the CRYPTO-MAS RADIUS server.
Configuring the VPN Group on the CRYPTO-MAS Portal
The Watchguard Edge will expect the CRYPTO-MAS portal to pass back a RADIUS attribute which contains the VPN group name you have configured on the Watchguard Edge.
Log into your CRYPTO-MAS portal, click on the Group tab and select the group which your VPN
users are a member of.
Add a RADIUS authentication property for the property Filter-Id with a property value which
matches the name of the VPN group you have created on the Watchguard. Save the property you have added.
Testing the RADIUS authentication
From the Watchguard Edge management interface, enter the RADIUS configuration screen and
click on the Test RADIUS
authentication button. Enter your CRYPTO-MAS username into the username box in the format of
domain\username (where domain matches the domain you setup in the attribute filter string on IAS on the previous page).
Generate a One Time Password using your CRYPTOCard token or software client, and enter it into the
password box and click on Test. A
successful connection should look similar to the screenshot on the left.
Log In should return OK. Get group list should return OK and the name of your Watchguard VPN group.