The WatchGuard firewall supports 2FA with the Mobile VPN for SSL client, but your Radius server has to do the work. You can find details about the WatchGuard support here.
So what are the options for getting Google Authenticator to work with WatchGuard for free?
OpenVPN - This was complicated to setup and would have to replace the WatchGuard VPN. I had too many problems getting this to work and setup was complicated for the users who would have to remove the WatchGuard VPN and install the OpenVPN client.
FreeRadius - This sounded promising, but the Google Authenticator plugin was not well documented and I gave up getting it to support both Active Directory and Google Authenticator at the same time. It seems that if you just wanted to keep the VPN logins on the Ubuntu server it worked fine, but once I added Active Directory, I couldn't find good documentation about getting them to work at the same time.
Wright SMS2 - This is the solution I ended up going with. Free, Easy to setup and with my guide here, you can have it working in a day. This program is really written to add 2FA to Citrix netscaler, but I was able to use it after a few adjustments.
Start by downloading the SMS2 software and installing it on a server that is already setup with Windows NPS (Network Policy Server). I was able to install it on Server 2016 with no issues. I made a dedicated Virtual server for this and didn't put it on my domain controller. The software requires a SQL server. Rather than use SQL Express, I just put the database on an existing SQL server.
The documentation on the SMS2 site is out of date and references an older version. That made it a little tricky to install. I will try to explain the settings in the interface that I used and give you a sample config file along with a nice PowerShell script that was shared on the SMS2 forum. That script will create the QR Codes and send them out in emails to your users.
This article is still in work. I will finish this up over the next 2 weeks.
Dumping a few easy screen shots below for now.
Here are the settings I used with SMS2
To start with you will want to look at my configuration.xml file that I uploaded to pastebin here:
I would start with your own and then look at the changes I made on mine. I have removed personal data and replaced it with ## comments ## so you know where you should enter your information.
Now that you have SMS2 installed, you can open the console and try your hand at setting up a user. Just select a user and then click on Authentication Options.
On the Engine Options you want AD. This tells SMS2 that the password box is a password from Active Directory, not a PIN number that was pre-set.
My updated version is on Pastebin here:
I made some changes to the PowerShell script.
This is a list of changes:
- Added more details and graphics to the email
- Added a better description inside the QR Code so that your Company and Email address show up in Google Authenticator. (line 237)
- When the Powershell writes back to the database on line 232 I added Feitian Serial and the 30 second time out to that line. (Feitian Serial seems to be required and not Google Authenticator for some reason. Looking inside the database helped me find that)