Integration Guide for WatchGuard with GreenRADIUS 2FA

Before starting, ensure GreenRADIUS is configured correctly to communicate with the local Active Directory or LDAP domain, as well as with the validation service (either local validation or the YubiCloud).

WatchGuard with GreenRADIUS 2FA- Integration Guide

In the GreenRADIUS web admin interface, add WatchGuard as a RADIUS client.

  1. Click the Global Configuration tab
  2. Click the Client-based Authentication Policies icon
  3. Enter the IP address of WatchGuard. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

WatchGuard Configuration

Before starting, ensure that network, interfaces, and client profiles are configured correctly.

  1. Log into the WatchGuard Fireware Web UI.
  2. Navigate to AUTHENTICATION>Servers
  3. Click on RADIUS.

RADIUS Server Configuration

  1. Select Enable RADIUS Server.

  2. Configure the following fields:

    • IP Address:your_greenradius_ip
    • Port: 1812
    • Passphrase: the Client Secret provided under RADIUS Clients in GreenRADIUS
    • Confirm the Client Secret once again
    • Timeout: 30 seconds
    • Retries: 3
    • Group Attribute: 11
    • Dead Time: 10 Minutes

  3. Click on SAVE.

RADIUS Server Configuration

  1. Navigate to VPN>Mobile VPN with SSL>Authentication.

RADIUS Server Configuration

  1. Add your "vpnusers" group name.
  2. Select RADIUS as Authentication Server.
  3. Click OK.

RADIUS Server Configuration

  1. The Firebox/XTM RADIUS integration is now done.

Authentication Test

At this point, you can try a single-factor (password-only) login attempt and then verify that the authentication successfully went through GreenRADIUS.

  1. Make sure the test user you are using is single-factor in GreenRADIUS. a. Click on the domain the user is in, then click on the Users/Groups tab. b. Find the user you will test with. (You can use the search function if you have many pages of users.) c. In the Single Factor Flag Column, if the user has a red "X," click the checkbox next to the user, then click on "Enable Single Factor." The user should have a green checkmark in the Single Factor Flag for this password-only test.
  2. Log in to the WatchGuard VPN client with the user's username and password.
  3. In GreenRADIUS, you can check that the authentication went through by going to GreenRADIUS Virtual Appliance>Reports tab>Authentication Requests a. Click on Run Report b. The authentication attempt should then be listed there.

Web Analytics Made Easy - StatCounter

Updated 2025-10-30
© 2025 Green Rocket Security Inc. All rights reserved.