WatchGuard IKEv2 and L2TP with LoginTC MFA
NPS First Factor Authentication
This article describes how to configure the LoginTC RADIUS Connector with WatchGuard VPN/Firewall for IKEv2 and L2TP VPN connections.
The main idea is to configure First Factor Authentication using Microsoft NPS and LoginTC is Authentication Mode: Direct.
Install NPS
Click Next.
Select “Role-based or feature-based installation” Click Next.
Select your domain controller from the server pool and click Next.
On the “Select server roles” page, check “Network Policy and Access Services”. Another dialog box will appear. Click Add features.
Ensure “Network Policy and Access Services” is checked. Click Next.
Click Next on the “Select features” page.
Click Next on the “Network Policy and Access Services” page.
Click “Install” on the “Confirm installation selections” page.
Wait for installation to finish.
Click “Close” to close the dialog box after installation is finished.
Configure NPS
Open Command Prompt as administrator and run
Open Network Policy Server
In left panel, right click on “NPS (Local)” and click “Register server in Active Directory”
A new dialog box will appear. Click OK. Another dialog box will appear telling you that NPS is now authorized. Click OK.
Click on “Radius Clients and Servers” in the left panel. In right panel, click “Configure RADIUS Clients”
In the left panel, right-click on “RADIUS Clients” and click “New”. A new dialog box will appear.
Fill in the dialog box as follows:
Friendly Name: LoginTC RADIUS Connector
Address: <IP address of the connector>
Shared Secret: Ensure “Manual” is selected. Input in the same shared secret that you have used to configure between WatchGuard and LoginTC RADIUS Connector.
Click Ok
Click on Policies drop-down in the left panel to open sub-items.
In the left panel, right-click on “Connection Request Policies” and click New. A new dialog box will appear.
Enter “LoginTC RADIUS” in Policy Name. Leave “Type of network access server” to “Unspecified”. Click Next
Click Add in “Specify Conditions”. A new dialog box will appear.
Scroll down and select “Day and Time Restrictions”. Click Add. A new dialog box will appear.
Click “Permitted”. Ensure that it turns all white boxes to blue. Click OK.
Click Next in “Specify Conditions”
Nothing needs to be changed in “Specify Connection Request Forwarding”.
Click Next.
Click Next in “Specify Authentication Methods”
Nothing needs to be changed in “Configure Settings”. Click Next.
Click Finish on the completion screen.
In the left panel, right-click on “Network Policies” and click New. A new dialog box will appear.
Enter “LoginTC RADIUS” in Policy Name. Leave “Type of network access server” to “Unspecified”. Click Next
Click Add in “Specify Conditions”. A new dialog box will appear.
Select “User Groups” and click Add. A new dialog box will appear.
Click “Add Groups…”. A new dialog box will appear.
Add in the name of the user group you want to authenticate RADIUS against. Click OK
Repeat theses step to add all the user groups you want to authenticate RADIUS against.
After you are finished adding, click OK.
Click Next in “Specify Conditions”
Ensure “Access granted” is selected in “Specify Access Permissions”
Click Next
In “Configure Authentication Methods”, ensure that “Unencrypted authentication (PAP, SPAP)” is also checked.
Click Next in “Configure Authentication Methods”, you will get a dialog box.
Click “No” in the dialog box to proceed.
Click Next in “Configure Constraints”
In “Configure Settings” page, click on “Standard” in left panel, then click “Add” in right panel. A new dialog box will appear.
Select “Filter-Id” and click Add. A new dialog box will appear.
Click Add in “Attribute Information” dialog box. A new dialog box will appear.
Ensure “String” is selected for attribute value. For attribute value provide the same value that you used when setting up RADIUS for Watchguard VPN. See https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/access-management_authentication_d.html and search for “group attribute” for more details. Click OK.
Click OK in Attribute Information. Click Close in “Add Standard RADIUS Attribute” dialog box.
Ensure the “Filter-Id” attribute is present on the “Configure Settings” screen. Click Next.
Click Finish on the completion screen.
In left panel, right click on “NPS (Local)” and click “Stop NPS Services”
Wait 30 seconds. Then right click on “NPS (Local)” and click “Start NPS Services”.
Configure LoginTC RADIUS Connector
Open and log into LoginTC RADIUS Connector web interface.
Click on “User Directories” in the left panel, then click on “Create User Directory” in the right panel.
Click “Generic RADIUS”
Fill the dialog box as follows:
Name (optional): AD NPS
IP Address or Host Name: <ip address of the host where NPS is installed>
Authentication Port: 1812
Shared Secret: Shared secret you set up in Microsoft NPS
Click Test. Click Create
Click newly created user directory
Click “Test User Directory” in right panel
Enter username and password. Then click “Test User Directory”. You can use this to test user authentication
Click Endpoints in the left panel. Click the WatchGuard application you had previously created.
Scroll down to “User Directory” and click “Edit”
Select the newly created user directory
Scroll down to “Client Settings” and click “Edit”
In “Radius Attributes (Advanced)”, you can now select “None” if you had a group specified. NPS will now take care of that.
Click Test. Click Update.
You can now click “Test Endpoint” in the right panel to test the workflow from the connector to NPS.
Enter username and password and click “Test Endpoint”. Finish your test workflow.
A notification will be sent to the user, once approved the test is successful.
You are now ready to use WatchGuard VPN for L2TP/IKEv2 with LoginTC RADIUS Connector and NPS.