How to setup Google Authenticator 2FA with a Watchguard SSL VPN Client for FREE!

My goal for the last year has been to figure out how to turn on 2FA (two factor authentication) for our WatchGuard SSL VPN Clients.  I found that Wright SMS2 worked best, so that is what I will document here.  Most of what I talk about here may also apply to other firewalls too.




The WatchGuard firewall supports 2FA with the Mobile VPN for SSL client, but your Radius server has to do the work.  You can find details about the WatchGuard support here.

So what are the options for getting Google Authenticator to work with WatchGuard for free?

OpenVPN - This was complicated to setup and would have to replace the WatchGuard VPN.  I had too many problems getting this to work and setup was complicated for the users who would have to remove the WatchGuard VPN and install the OpenVPN client.

FreeRadius - This sounded promising, but the Google Authenticator plugin was not well documented and I gave up getting it to support both Active Directory and Google Authenticator at the same time.  It seems that if you just wanted to keep the VPN logins on the Ubuntu server it worked fine, but once I added Active Directory, I couldn't find good documentation about getting them to work at the same time.

Wright SMS2 - This is the solution I ended up going with.  Free, Easy to setup and with my guide here, you can have it working in a day.  This program is really written to add 2FA to Citrix netscaler, but I was able to use it after a few adjustments.

Start by downloading the SMS2 software and installing it on a server that is already setup with Windows NPS (Network Policy Server).  I was able to install it on Server 2016 with no issues.  I made a dedicated Virtual server for this and didn't put it on my domain controller. The software requires a SQL server.  Rather than use SQL Express, I just put the database on an existing SQL server.
The documentation on the SMS2 site is out of date and references an older version.  That made it a little tricky to install.  I will try to explain the settings in the interface that I used and give you a sample config file along with a nice PowerShell script that was shared on the SMS2 forum.  That script will create the QR Codes and send them out in emails to your users.


This article is still in work.  I will finish this up over the next 2 weeks.
Dumping a few easy screen shots below for now.
-Ed 3.9.2017

Here are the settings I used with SMS2

To start with you will want to look at my configuration.xml file that I uploaded to pastebin here:
http://pastebin.com/7vy5bc5A
I would start with your own and then look at the changes I made on mine.  I have removed personal data and replaced it with ## comments ## so you know where you should enter your information.

Now that you have SMS2 installed, you can open the console and try your hand at setting up a user.  Just select a user and then click on Authentication Options.



On the Engine Options you want AD.  This tells SMS2 that the password box is a password from Active Directory, not a PIN number that was pre-set.



On the Auth Options I have renamed OATHCalc to Google Authenticator.  Changing the <FriendlyName> of these items can be done in the Configuration file stored here on your server:  
"C:\Program Files\WrightCCS2\Settings\Configuration.xml"

Next I set the Token generation type to TOTP and picked Google Authenticator from the drop down list. (This always defaults to Feitian Serial for some reason, so don't worry about that if you see it the next time you open the window)
Press Generate Shared Secret and then Save Configuration.  Copy the QR Code to the clipboard and email it to the user.  At the end of this I will talk about a Powershell script that does this better and then you don't need to use this interface at all after you setup the first person (I did one person in the interface just to make sure some defaults were set, like AD for Pincode)




The PowerShell script written by David Ott that you want for mass deployment of QR Codes to users is described here:
http://www.wrightccs.com/topic/deploy-qr-code-to-users/
My updated version is on Pastebin here:
http://pastebin.com/UPd0N2Wd

I made some changes to the PowerShell script.
This is a list of changes:
  • Added more details and graphics to the email
  • Added a better description inside the QR Code so that your Company and Email address show up in Google Authenticator. (line 237)
  • When the Powershell writes back to the database on line 232 I added Feitian Serial and the 30 second time out to that line. (Feitian Serial seems to be required and not Google Authenticator for some reason.  Looking inside the database helped me find that)







Comments

Unknown said…
hi ed,

is there any new news on this topic ?. it's still working ?
thanks for your support.

with kind regards
andreas
Unknown said…
hi ed,

inspired from your blog.... I will setup this in my home lab.....

have you any new news on this topic ?. my problem at the moment is:

017-10-08 13:36:41 admd RADIUS: retrieve VP:Reply-Message(18) int=16
2017-10-08 13:36:41 admd RADIUS: retrieve VP:State(24) int=6
2017-10-08 13:36:41 admd RADIUS: retrieve VP:Filter-Id(11) int=4
2017-10-08 13:36:41 admd RADIUS: retrieve VP:Class(25) int=44
2017-10-08 13:36:41 admd RADIUS: Parsing attribute-value pairs finished
2017-10-08 13:36:41 admd Authentication failed: user andreas.hirsch@RADIUS isn't in the authorized SSLVPN group/user list!

any tips for me
best regards Andreas
Ed Hammond said…
Andreas,
Did you create the SSLVPN group in active directory and add yourself to it?
If I recall correctly, you need to add that grip to the allowed users in the watchguard VPN settings too.
Since this post we switched to a SSLVPN appliance from Barracuda, so I no longer have this setup.
Unknown said…
Ed,
thanks for your response. when each user in in the vpn grip ... the login is ok. But did you remember how you deal with the filter-id (WG needs this for group identity) and how you change the text for the challenge response. How did you set the filter-id ?. or is there a standard filter-id from sms2.
or are the memories unfortunately gone..... no problem

thanks for your support.
Unknown said…
Ed,
thanks for your response. when each user in in the vpn grip ... the login is ok. But did you remember how you deal with the filter-id (WG needs this for group identity) and how you change the text for the challenge response. How did you set the filter-id ?. or is there a standard filter-id from sms2.
or are the memories unfortunately gone..... no problem

thanks for your support.
Ed Hammond said…
Watchguard has very good support, I would ask them for any input they can provide.
When I do this stuff, I still need to read their documents and open support tickets.
I found that Duo.com works much better and the first 10 accounts are free if your small.

Popular Posts