Watchguard Training: Multi-Factor Authentication Essentials Study Guide
Watchguard Training: Multi-Factor Authentication Essentials Study Guide
Watchguard Training: Multi-Factor Authentication Essentials Study Guide
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
For a list of recommended documentation and video resources to help you prepare for the exam, see Additional
Resources.
For information about the exam content and format, see About the Multi-Factor Authentication Essentials Exam.
Document Conventions
This document uses these formatting conventions to highlight specific types of information:
This is a best practice. It describes the recommended configuration for an AuthPoint feature.
USE CASE:
This is a use case. It describes how you could configure AuthPoint in a real-world scenario.
This is a caution. Read carefully. There is a risk that you could lose data, compromise system
integrity, or impact device performance if you do not follow instructions or recommendations.
A token is something, such as a digital signature or fingerprint, that identifies a user and
associates the user with a device. It is used in addition to, or in place of, a password when the
user logs in to a protected resource. The user activates a token on a device that is used for
authentication, such as a mobile phone. This device is then used to gain access to protected
resources that require multi-factor authentication.
Authentication Protocols
This guide assumes that you have some familiarity with the RADIUS, LDAP, and SAML authentication protocols. For
an overview of how these protocols work, see the Authentication Basics section at the start of the Multi-Factor
Authentication Essentials video course.
The Multi-Factor Authentication Essentials video course is available on the WatchGuard Portal (login required).
n Partners — This course is available in the Learning Center in the Partner Portal.
n End-users — This course is available in the Training & Certification section of WatchGuard Support Center.
MFA Authentication Methods
Users install the AuthPoint mobile app on their phone. Then, when they log in to any protected online service or VPN,
they must authenticate with one of these methods:
n Push Notification — When a user logs in, AuthPoint sends a push notification to the user's mobile device. The
user approves the push notification to authenticate, or denies it to prevent an unauthorized access attempt.
n QR Code — When a user logs in, a QR code appears. The AuthPoint app uses the phone camera to scan the
QR code and displays a verification code, which the user must type to authenticate. AuthPoint uses secure QR
codes that can only be decrypted by the AuthPoint mobile app.
n One-Time Password (OTP) — When a user logs in, the user must provide a unique, temporary password
generated by the AuthPoint app to authenticate.
AuthPoint uses the latest MFA methods to protect your trusted resources from unauthorized access. You can choose
different authentication methods for specific user groups and applications.
AuthPoint Management UI
The AuthPoint management UI in WatchGuard Cloud is where you set up and manage users, user groups,
resources, external identities, and the AuthPoint Gateway. Resources are the applications that you define for
use with AuthPoint. External identities connect to user databases to get user account information and validate
passwords. The AuthPoint management UI also provides reports and audit logs to help you monitor
authentication activity and troubleshoot any issues.
The AuthPoint mobile app is not required for OTP authentication with a hardware token. For more
information, see Hardware Tokens.
AuthPoint Gateway
The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint
can securely communicate with your RADIUS clients and LDAP databases. The Gateway operates as a
RADIUS server for RADIUS authentication, and is also used to import LDAP users and validate their
passwords.
The AuthPoint Gateway installer is available on the Downloads page in the AuthPoint management UI.
Logon App
The Logon app is used to require authentication when users log on to a computer or server. This includes
protection for RDP and RD Gateway. The Logon app is also referred to as the AuthPoint Agent for Windows or
Mac. There are two parts to the Logon app: the application you install on a computer or server and the resource
you configure in AuthPoint.
The Logon app installers are available on the Downloads page in the AuthPoint management UI.
With the AuthPoint ADFS agent, you can add MFA to ADFS for additional security. There are three parts to the
AuthPoint agent for ADFS: the agent you install, the Gateway, and the resource you configure in AuthPoint.
The ADFS agent installer is available on the Downloads page in the AuthPoint management UI.
There are two parts to the AuthPoint agent for RD Web: the agent you install and the resource you configure in
AuthPoint.
The RD Web agent installer is available on the Downloads page in the AuthPoint management UI.
AuthPoint Licenses
AuthPoint is a subscription security service. To use AuthPoint, you must activate an AuthPoint license in your
WatchGuard account. The AuthPoint license determines the number of users you can configure to use AuthPoint for
MFA. When you activate your AuthPoint license key, the user licenses are added to your AuthPoint account in
WatchGuard Cloud.
If you are a WatchGuard Cloud Service Provider, you can allocate AuthPoint user licenses to accounts you manage in
WatchGuard Cloud.
AuthPoint Management UI
To set up and manage AuthPoint, you use the AuthPoint management UI in WatchGuard Cloud. To connect to
WatchGuard Cloud, go to cloud.watchguard.com. Log in with your WatchGuard portal credentials.
If you have a Service Provider account, you must click Pivot to Subscriber View on the dashboard to switch to your
Subscriber account before you can configure AuthPoint.
Configure AuthPoint
To configure AuthPoint, select Configure > AuthPoint.
To configure AuthPoint settings you can click the tile title or click the Management links:
n Resources — Configure the applications and services that your users connect to.
n Groups — Configure user groups, and add access policies that specify which resources users in that group can
authenticate to and which authentication methods they can use (Push, QR code, and OTP).
n Users — Manage AuthPoint users and tokens. You can add users directly in AuthPoint or import LDAP users
from an external authentication server. Each user can only be a member of one AuthPoint group.
n External Identities — Configure the information required for AuthPoint to connect to your Active Directory or
LDAP databases to get user account information and validate passwords.
n Gateway — Configure settings for the AuthPoint Gateway, a lightweight software application that you install on
your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS, and
your Active Directory or LDAP database.
n Hardware Tokens — Import hardware tokens and associate them with users.
The items in the AuthPoint management menu are listed in the optimal order to configure them.
We recommend you start at Resources, and work your way down through each item in the list
until your configuration is complete.
Monitor AuthPoint
Use AuthPoint dashboards and reports to monitor AuthPoint activity and status.
n User Activity — A bar graph that shows how many times each active user has authenticated, the last time each
inactive user authenticated, and how and when blocked users were blocked.
n Authentication — A bar graph that shows successful and failed authentication attempts for each user. For each
attempt, a list shows the authentication date, the token that was used, the authentication method, and the
resource the user authenticated to.
n Resource Activity — A bar graph of resources that shows successful and failed authentication attempts for
each resource. For each attempt, a list shows which user authenticated, the authentication date, the token that
was used, and the authentication method.
n Denied Push Notifications — A bar graph that shows how many push notifications have been denied by users.
n Activation Activity — Shows a list of user tokens that have not yet been activated.
n Sync Activity — Shows information about the synchronization of your LDAP database if you have added an
external identity.
Audit logs and notifications, available under the Administration menu, provide additional information
about AuthPoint events that can be useful for troubleshooting.
For OTP authentication, you can use a hardware token instead of the AuthPoint mobile app. For
information about hardware tokens, see Hardware Tokens.
To get started, users must install the AuthPoint mobile app on a mobile device and activate an AuthPoint token.
The AuthPoint mobile app can contain multiple AuthPoint tokens, and also supports third-party tokens.
If a user has more than one mobile device, the user must activate a unique token for each device.
n Download and install the WatchGuard AuthPoint mobile app on a mobile device
n Click the link in the token activation email
The link in the activation email opens a web page with instructions to activate the token.
By default, the token name contains the last five digits of the token serial number. We recommend that you rename the
token. This makes each token easier to identify if you activate more than one token.
The six-digit number below the token name is the one-time password (OTP). The red bar below the OTP indicates the
amount of time the OTP is valid.
Users can use the mobile app to authenticate with these methods:
Push
With the Push authentication method, a push notification appears in the AuthPoint app. To authenticate, in the
AuthPoint app, tap Approve.
QR Code
With the QR Code authentication method, a QR Code appears on the login page. To authenticate, in the
AuthPoint app, tap and scan the QR code from the screen.
For RADIUS authentication, append the OTP to the end of your password. Do not add a space.
Token Management
In the menu for each token, the user can select these options:
We recommend users enable token security for additional protection in case another person gets
access to the mobile device.
Users can enable token security from the top menu in the AuthPoint mobile app. The token security options are:
PIN Protection
PIN protection is the primary token security method. You create one PIN and choose which tokens to protect
with that PIN. When you enable PIN protection, you must type your PIN before you can authenticate with the
protected tokens.
Biometric Protection
Biometric protection is another method to unlock tokens that have PIN protection enabled. When you enable
biometric protection, you can use a biometric identifier, such as a fingerprint or your face, to unlock any protected
token without the PIN.
If token security is enabled for one or more tokens, you must validate your PIN or use a biometric ID (if enabled) to
unlock a token for authentication or make any changes to the token security settings.
Third-Party Tokens
The AuthPoint mobile app also supports third-party software tokens, such as tokens compatible with Google
Authenticator, for authentication to personal services and applications.
When you set up two-factor or multi-factor authentication with a third-party service, use the AuthPoint QR code reader
to activate a software token in the AuthPoint mobile app. If the third-party service does not provide a QR code, you can
select Manually Activate Token in the AuthPoint mobile app, and then type the token key.
Third-party software tokens that you activate in the AuthPoint app are separate from your WatchGuard tokens. You can
still use your third-party tokens for authentication even if your AuthPoint user account is blocked.
n RADIUS client — An application or service that uses RADIUS authentication (primarily firewalls and VPNs)
n Logon app — The Logon app resource is used to configure and define access policies for the Logon app
n IdP Portal — A portal page that shows users the SAML resources available to an authenticated user
n SAML — An application or service that uses SAML authentication, such as Office 365, Salesforce, or the
Firebox Access Portal
n ADFS — The ADFS resource is used to add MFA to ADFS authentication
n RD Web — The RD Web resource is used to add MFA to Remote Desktop Web Access (RD Web)
To configure MFA for a resource, add the resource in AuthPoint, then assign an access policy for the resource in a user
group. In a user group, access policies specify which resources require authentication and which authentication method
to use (Push, QR code, OTP) when users in the group connect to each resource.
When you add a RADIUS client resource, you must specify the IP address or FQDN of your RADIUS client and you
must choose a shared secret key so that the RADIUS server (AuthPoint Gateway) and the RADIUS client can
communicate.
RADIUS client resources must be linked to an AuthPoint Gateway that is installed on your network. The default port
used by the AuthPoint Gateway (RADIUS server) to communicate with the RADIUS clients is port 1812. If you already
have a RADIUS server installed that uses port 1812 (or 1645), you must use a different port for the AuthPoint Gateway.
You can link more than one RADIUS client resource to a single AuthPoint Gateway.
USE CASE:
An organization wants to enable MFA for user authentication through a Firebox and require MFA for mobile
VPN connections to networks protected by the Firebox.
If you have a Firebox, you can install an AuthPoint Gateway on the network behind the Firebox, and then configure the
Firebox as a RADIUS resource.
To enable AuthPoint MFA for user authentication to a Firebox, you configure these AuthPoint settings:
n The RADIUS Client resource for the Firebox specifies the IP address of the Firebox trusted interface and a
shared secret the Firebox will use to connect.
n In the AuthPoint Group, an Access Policy specifies allowed authentication methods for users in the group to
authentication to the Firebox. For more information about groups, see AuthPoint Groups and Users.
n The Gateway configuration includes the Firebox RADIUS resource and specifies the port the Firebox must use
to connect to the AuthPoint Gateway. For information about AuthPoint Gateway configuration, see AuthPoint
Gateway.
Firebox Settings
On the Firebox, in the Authentication Servers settings, a RADIUS server specifies the IP address, port, and shared
secret for connections to the AuthPoint Gateway.
The Firebox authentication portal web page (https:\\<Firebox trusted interface IP address>:4100).
When a user in the AuthPoint group logs in and selects the AuthPoint server, AuthPoint sends a Push notification to the
user in the AuthPoint app. To authenticate, the user must accept the push notification.
For RADIUS authentication to a resource that requires an OTP, the user must append the OTP to the
end of the password. Do not add a space between the two passwords.
After MFA through the Firebox is working, you can enable MFA for VPN client authentication. To do this, configure
mobile VPN settings to use the AuthPoint RADIUS server, and add the AuthPoint group in the VPN Authentication
settings. In AuthPoint, make sure that the AuthPoint group for the VPN users includes the Firebox resource.
For more details about how to configure this, see Firebox Integration with AuthPoint.
When you install the Logon app, the computer must be connected to the Internet before the user logs on for the first
time. This is required so that the Logon app can communicate with AuthPoint to verify the access policy. After the first
successful authentication, the computer stores the most recent access policy locally. This local policy is used when the
user authenticates offline, and it is updated when the computer has an Internet connection.
Because push notifications require Internet access, we recommend that the access policy for the
Logon app includes the QR code or OTP authentication options so users can authenticate when
they are not connected to the Internet.
A user must first log in with Windows or Mac credentials. If those credentials are valid, the user must select a second
authentication option.
If the computer does not have an Internet connection, the user must select the One Time Password or QR Code
authentication option to authenticate offline.
If the user does not have access to their mobile device, the user can select Forgot Token to start a process for the
administrator to temporarily disable MFA for that user account for a specific amount of time.
Users authenticate to the IdP portal. When the user selects a resource, AuthPoint sends the credentials automatically.
If a SAML resource requires a different authentication method than the method used for authentication to the IdP portal,
the user must complete the additional authentication step to access the resource.
Manually created AuthPoint users can change their passwords on the IdP portal page. User accounts synced from an
Active Directory or LDAP database cannot reset or change their own passwords.
You can configure only one IdP portal resource. Add an access policy for the IdP Portal resource to one or more user
groups. Users in those groups can then log in to the IdP Portal to connect to applications available to them.
User authentication with AuthPoint Push authentication to a cloud app with SAML
In AuthPoint, SAML resources connect AuthPoint with a service provider. Add SAML resources and define access
policies for the resources to require that users authenticate before they can connect to services and applications. You
can create a SAML resource for almost every application that is compatible with SAML 2.0.
When you add SAML resources, we recommend that you also add an IdP portal resource. The IdP
portal is a portal page that shows users a list of SAML resources available to them. The IdP portal is
not required for SAML authentication.
For SAML resources, the User ID determines which AuthPoint user attribute is sent to your service provider when a
user authenticates.
Some service providers require the metadata file to configure authentication, but others only require
the metadata URL. Which one you need depends on the third-party service provider.
When you add a SAML resource in AuthPoint, you must configure these settings:
n Service Provider Entity ID and Assertion Consumer Service — Specify the values from the service provider
of the application.
n User ID — Select the AuthPoint user attribute to send to your service provider when a user authenticates.
n AuthPoint Certificate — Select the AuthPoint certificate to associate with your resource. We recommend that
you choose the certificate with the latest expiration date.
SAML Certificates
From the AuthPoint management UI, you can create and manage the AuthPoint certificates used for SAML
authentication. The AuthPoint certificate provides your resource (service provider) with the information needed to
identify AuthPoint as a trusted identity provider. This is required for SAML authentication.
You must create at least one AuthPoint certificate before you can add a SAML resource. If your account already has
one or more certificates, you only need to create a new certificate when you replace an existing certificate.
You might need to replace a certificate for security reasons or when the expiration date is near.
SAML Resource Example
On a Firebox, the Access Portal provides secure remote access to common web applications that use HTML.
USE CASE:
To increase security for a Firebox Access Portal, you want to enable multi-factor authentication when
users log in to the Access Portal.
You can configure the Access Portal as a SAML resource. In this example, the Firebox Access Portal is the service
provider, and AuthPoint is the identity provider.
After you enable SAML for the Access Portal, the Firebox hosts a configuration page that includes information and a
certificate for SAML integration: http://[Host name or IP address for Firebox SAML]/auth/saml.
n Service Provider Entity ID — Copy and paste this to the SAML resource in AuthPoint.
n Assertion Consumer Service — Copy and paste this to the SAML resource in AuthPoint.
n Logout URL — Copy and paste this to the SAML resource in AuthPoint.
n Certificate file — Download this file, and then upload it to the SAML resource in AuthPoint.
Use this information and the certificate file to configure the SAML resource in AuthPoint. In the SAML resource, you
must also select the AuthPoint certificate associated with the IdP Metadata URL you configured in the SAML settings
for the Access Portal on the Firebox.
After you add the SAML resource, add it to one or more user groups. Users in those groups must then use a configured
option to authenticate to the Access Portal.
For detailed instructions to set up this integration, see Firebox Access Portal Integration with AuthPoint.
When you configure the AuthPoint ADFS agent, the ADFS Server validates the user password, and then sends a
request to AuthPoint for MFA.
The AuthPoint Gateway must be installed and available when you install the ADFS agent. The
Gateway is the point of communication between AuthPoint and your ADFS server.
After you install the ADFS agent, enable MFA in ADFS for one or more groups. MFA works only for the users that are a
member of the ADFS groups that you select and a member of the AuthPoint groups with an access policy for the ADFS
resource.
With the ADFS agent configured, users must authenticate when they access your organization's web applications.
When users navigate to a web application, they are redirected to the ADFS SSO page where they must provide their AD
credentials and authenticate with MFA.
When you configure an RD Web resource in the AuthPoint management UI, you must select an AuthPoint identity
provider certificate to use for SAML authentication. This is for SAML applications that support RD Web.
RD Web Authentication
The AuthPoint RD Web resource enables MFA for user authentication to the RD Web Access portal.
From the RD Web access portal, users download applications for remote access to computers and applications. Users
can run those applications without a connection to the RD Web access portal. When a user runs a downloaded RD Web
application, the user does not connect to the RD Web portal again, and MFA is not required.
To require MFA when users connect to a remote desktop through an RD Web application, install the
AuthPoint Agent on the remote computer that the RD Web application connects to.
When a user tries to log in to a resource that requires authentication, the AuthPoint single sign-on (SSO) page appears.
To log in, the user types their AuthPoint password (if required) and chooses an authentication method.
The authentication methods available depend on the access policies assigned to your user group.
Some resources might require specific authentication methods, or allow only certain methods.
When a user authenticates, the web browser creates a session and remembers the user. While the user session is
active, the user does not need to authenticate again for SAML resources, RD Web resources, or the IdP portal unless
the resource requires a more secure authentication method.
For example, if you use a password and an OTP to log in to the IdP portal, you can then log in without authentication to
any resource that has OTP as an allowed authentication option or that requires only a password.
Password Password + OTP, QR User must authenticate with OTP, QR code, or Push
code, or Push (no password required)
OTP Password + QR code or User must authenticate again with QR code or Push
Push (no password required)
For push authentication, AuthPoint sends a push notification to your phone. You can either tap Approve to
authenticate and get access to your applications, or tap Deny to prevent an access attempt that was not made
by you.
If your token is protected by Token Security, the AuthPoint app opens and prompts you to unlock your token with
a biometric ID or a PIN when you try to approve a push notification. After you validate, you can approve or deny
the push notification.
QR Code
A QR code is a square barcode that your phone can scan to read stored data. AuthPoint uses secure QR codes
to provide you with a verification code for authentication. Only the built-in AuthPoint app QR code reader can
decrypt AuthPoint QR codes.
One-Time Password
An OTP is a unique, temporary password that is only valid for a short time. OTPs are used in addition to your
normal password for authentication. On the Token Management page of the AuthPoint app, you can see the OTP
for each token and how long the OTP is valid. The OTP for protected tokens is hidden until you unlock your
tokens.
About Tokens
A token is something that contains information used to prove identity, like a digital signature or fingerprint. You activate
or install a token on a device used for authentication (known as an authenticator). You can then use this device to gain
access to protected resources that require MFA.
To confirm your identity when you authenticate, you must prove that you have possession of the authenticator, or token,
assigned to you.
Software Tokens
A software token is a token that you activate and install with the AuthPoint app on your mobile device.
When you create a user in AuthPoint, a software token is automatically created for them. The user receives an
email with instructions to download the AuthPoint mobile app and activate the token on a single mobile device.
The activation code is valid for seven days.
If a user has more than one device, the user must activate a separate token for each device.
Hardware Tokens
A hardware token is a physical device with a built-in token. You can use third-party hardware tokens with
AuthPoint multi-factor authentication. To assign hardware tokens to users, you must buy supported hardware
tokens from a vendor and import the tokens to AuthPoint. For more information, see Hardware Tokens.
Block a User
Block a user to prevent authentication with any of the user's WatchGuard tokens on any mobile device. A
blocked user can still use their third-party tokens, such as Google Authenticator, to authenticate with third-party
resources.
USE CASE:
A user leaves your organization or their user account has been compromised in some way. To block
authentication with any WatchGuard token for that user, you can block the user.
Block a Token
Block a token to prevent user authentication with a specific token. While a token is blocked, the user can still
authenticate with other active tokens.
USE CASE:
A user loses their phone. To block authentication from that device, you can block the token activated for
that device. If the user has an active token on another device, the user can still authenticate with the other
active token. If the user finds their phone, you can activate the token so the user can use it again for
authentication from that device.
In the AuthPoint management UI, use these pages to manage groups and users:
Each user can only be a member of one AuthPoint group. You must add at least one AuthPoint group
before you add or import users.
Groups
In AuthPoint, groups define what resources your users have access to. In each group, you configure access policies to
specify which resources users in that group can authenticate to and which authentication methods they can use (Push,
QR code, and OTP).
Access Policies
When you edit a group, you can configure access policies with authentication options for each resource.
Example group with access policies for several different types of resources.
In each access policy, you choose whether to require a password, and select allowed authentication options.
If you select more than one authentication option for a resource, users must choose one of the available options when
they authenticate to that resource. For example, if you select OTP and Push, users can choose whether to type their
OTP or approve a push to authenticate, but you cannot require that they do both.
If a user logs in to a resource from a computer that uses a public IP address identified as a safe location for their group,
the user is not required to use MFA. Users in a safe location can log in with only a user name and password.
Users
For a user to use AuthPoint, you must create an AuthPoint user in your account and select the group the user belongs
to. Each AuthPoint user account requires one AuthPoint user license. When you add a user, the user is assigned a
token. The user receives an email with instructions to activate the token in the AuthPoint app.
Each user must be a member of an AuthPoint group. For this reason, you must add at least one
group before you can add users to AuthPoint.
Because you can create only one user at a time, you most commonly add users manually when you
want to create test users or need to add only a small number of users.
Unlike users synchronized from an external Active Directory or an LDAP database, users that you create manually in
AuthPoint define and manage their own AuthPoint password.
From the Users page, you can also resend these emails, if needed.
To synchronize users, you must install an AuthPoint Gateway. The AuthPoint Gateway connects to a domain controller
to import users from an Active Directory or LDAP database. The AuthPoint Gateway is also required to validate user
credentials when users authenticate.
AuthPoint does not store user passwords for synchronized LDAP or Active Directory users.
When a synchronized user authenticates, AuthPoint sends the LDAP credentials to the domain
controller for validation. After the domain controller validates the credentials, AuthPoint handles
any other authentication options specified in the access policy for the user group.
External identity
An external identity specifies settings required for AuthPoint to connect to an external user database. For
AuthPoint to connect to the external database, you must also link this external identity to an AuthPoint Gateway.
Queries
For each external identity, queries specify which users to sync. The AuthPoint Gateway uses the queries to
request user information from the external user database and create AuthPoint users for the users that match the
query. For each LDAP query, you specify which AuthPoint group you want the users to be a member of.
Before you can sync users, you must add the external identity to the configuration for a Gateway,
You must install the AuthPoint Gateway on your corporate network in a location that has Internet
access and that can connect to your LDAP server.
For each external identity you can add queries, check the connection, or start a manual synchronization.
n Group Sync — Select the LDAP groups you want to sync users from. AuthPoint creates the query for you
based on the group you choose. This is the simpler option, and is recommended.
n Advanced Query — Create your own LDAP queries to specify which groups or users to sync.
Before you sync users, make sure that each user in your external user database has a valid email
address. Users must have an email address so that AuthPoint can send a token activation email.
LDAP users without a user name, first name, or email address are not included in the
synchronization.
After you add a query to find your users, AuthPoint syncs with your Active Directory or LDAP database at the next
synchronization interval and creates an AuthPoint user account for each user identified by the query. From the External
Identities page, you can also manually start a synchronization. On the Users page, you can identify users synced from
an external identity by the LDAP tag next to their user name.
The User Name column shows the status of the user account:
User
Status Definition
Activated The user account is activated and can authenticate with any active tokens.
Quarantined The LDAP synced user account cannot authenticate because the LDAP user was moved or
deleted, the external identity was deleted, or other domain information was changed.
Blocked The user cannot authenticate with any WatchGuard tokens on any mobile device. The user can
still use third-party tokens, such as Google Authenticator, to authenticate with third-party
resources.
Token
Status Definition
Activated The token has been activated and can be used for authentication.
Blocked The token is blocked and the user cannot authenticate with that token. The user can still use other
active WatchGuard tokens, if they have any, to authenticate.
An AuthPoint user account can also be quarantined if the External Identity was deleted or other
domain information changed.
Users with quarantined user accounts cannot authenticate until you restore or move them back to the original location in
the LDAP database. If you moved or deleted the user account intentionally, the quarantined account remains in
AuthPoint until you manually delete it in AuthPoint.
To delete an LDAP user in AuthPoint, the best practice is to remove the user from the AD or LDAP
group to give them the Quarantine status in AuthPoint, then delete the user in AuthPoint.
The Gateway provides a secure link between the AuthPoint service in the cloud and the local authentication services
and clients on your network. The Gateway makes a secure connection to AuthPoint for user synchronization and
authentication requests.
RADIUS
The Gateway is a RADIUS server that can accept authentication requests from RADIUS clients.
LDAP
The Gateway imports users from the domain controller. The Gateway also validates user credentials each time
an LDAP user logs in to an AuthPoint resource that requires a password.
ADFS
The gateway communicates with an installed AuthPoint ADFS agent to enable MFA for an existing
ADFS deployment.
Each gateway can communicate with RADIUS, LDAP, and ADFS resources. You can also configure multiple
Gateways for the same resources for high availability.
You cannot select the same LDAP external identity in more than one AuthPoint Gateway.
In the Gateway configuration you can specify the RADIUS port. The default port used by the Gateway (RADIUS server)
to communicate with the RADIUS clients is port 1812. If you already have a RADIUS server installed that uses port
1812 (or 1645), you must use a different port for the AuthPoint Gateway.
After you add the Gateway, copy the registration key, which is required to install the Gateway.
n The computer you will install the Gateway on has Internet access.
n The computer you will install the Gateway on can communicate with your RADIUS clients and Active Directory
or LDAP database.
n You have the registration key for your Gateway.
When you install the AuthPoint Gateway, you must provide the Gateway registration key. The key is used to register
the Gateway and enables WatchGuard Cloud (AuthPoint) to identify and communicate with the installed Gateway. The
installer connects to your AuthPoint account and downloads the Gateway configuration.
The Gateway runs as four services. The Gateway service handles connections to your AuthPoint account in the cloud
and sends configuration settings to the other three services. The other three services handle RADIUS, ADFS, and
LDAP communication on the local network.
The status icon next to the name of a Gateway indicates the status of the Gateway:
— The Gateway is installed and can communicate with WatchGuard Cloud
— The Gateway is not installed
— The Gateway is not connected and cannot communicate with WatchGuard Cloud
If needed, you can regenerate the registration key needed to install the Gateway.
n AuthPoint uses only the primary Gateway to synchronize users with the domain controller.
n AuthPoint uses one gateway at a time for user authentication requests to a domain.
controller. It uses a secondary Gateway only when the primary Gateway is not available.
n Both primary and secondary gateways process RADIUS authentication requests.
Primary Gateway
The primary Gateway synchronizes your LDAP users and enables RADIUS authentication and LDAP user
authentication. This Gateway is the primary point of communication between AuthPoint and your RADIUS
clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database.
Secondary Gateway
You can configure secondary Gateways as a failover for LDAP user authentication. When your primary Gateway
is not available, AuthPoint automatically sends LDAP user authentications through the secondary Gateway until
the primary Gateway becomes available again.
You can also use secondary Gateways as a backup RADIUS server. The only limitation is that the third-party
software or device that sends authentication requests to the Gateway must support the use of additional
RADIUS servers. Both primary and secondary Gateways process authentication requests from RADIUS
clients.
To provide high availability for AuthPoint MFA through a Firebox, you can configure the Firebox to use
a primary and backup RADIUS server.
To use third-party hardware tokens with AuthPoint multi-factor authentication you must:
Each AuthPoint user can have up to 20 software tokens and any number hardware tokens.
n Response Format — Six-digit time-based OTP that includes only numbers with a 30 or 60 second time interval
n Algorithm — OATH time-based OTP (RFC 6238)
n Seed Delivery — OATH PSKC file (RFC 6030)
n Seed File — The seed file is a Portable Symmetric Key Container (PSKC) file that is used to import hardware
token information into AuthPoint. This file contains device information for each hardware token. The accepted file
types for a seed file are .XML, .PSKC, .TXT, and .VIP.
n Key — The key is used to decrypt the seed file so AuthPoint can validate the one-time passwords (OTPs) that
the hardware tokens generate. The key can be a string of characters that you type in AuthPoint or a file that you
upload. The accepted file types for a key file are .TXT and .BIN. You receive the seed file and key from your
hardware token vendor. You use the key to decrypt the keys in the seed file.
After you import third-party hardware tokens, you can assign each token to an AuthPoint user, and then activate the
token.
n Did the user receive a push notification? (if push authentication was configured)
n Is there an audit log for the authentication attempt?
n For authentication flows that require the Gateway, what do the Gateway logs say?
Steps to troubleshoot specific AuthPoint issues depend on the type of problem, and which AuthPoint and external
components are involved in the authentication flow. Some AuthPoint components, such as the Gateway, have local log
files that are useful for troubleshooting.
Troubleshooting Tools
To troubleshoot most AuthPoint issues, start by looking at AuthPoint reports, audit logs, and alerts.
Audit logs are often a useful starting point for troubleshooting AuthPoint issues.
AuthPoint Reports
Reports show information about AuthPoint activity and events. Some useful reports for troubleshooting include:
Alerts
WatchGuard Cloud generates alerts for events based on notification rules. For example, you see an alert when a
Gateway connects or disconnects, and when a user denies a push authentication request. You can add
notification rules to generate other types of alerts.
Audit Logs
Audit logs show events related to management actions, configuration changes, and AuthPoint events. For
authentication events, the audit log detail shows all the details about the authentication attempt.
You can use the detail from audit logs to match log messages for events on the Gateway or in authentication
error messages in the IdP Portal or Logon app for Windows or Mac.
Each service creates a log file. Log messages include the user name and request ID, which can be useful to
match a log message to an associated AuthPoint audit log event or error message.
n Gateway — Communicates with WatchGuard Cloud and configures the other three services
n RADIUS — Communicates with RADIUS clients
n LDAP — Communicates with LDAP
n ADFS — Communicates with ADFS
Use the Windows Services app to verify that all four services are running. In the Services app, the four running
services look like this:
If a service is not running, use Windows Event Viewer to see when services stopped and started.
The Gateway service must be started and running correctly before the other services will start. If the Gateway
service is unable to connect to the cloud, or is unable to start for some reason, the other services will hang as
they wait for configuration files that never arrive. If you successfully restart the Gateway service, you must also
restart the other services after the Gateway service is running properly again.
n Make sure the RADIUS port is open on the server on which the Gateway is installed. The port is not open by
default. If the port is open, make sure it is not used by anything else on that server, which would cause a
conflict with the Gateway.
n Do a pcap between the Gateway and the RADIUS client to examine the traffic and identify errors.
n If the Gateway is installed on a different server than the LDAP/AD server, do a pcap between the Gateway
and the LDAP/AD server to verify that an LDAP response comes back.
Troubleshoot IdP Portal
To troubleshoot the IdP portal, ask the user for information about login errors. When authentication fails, an error
message appears on the login page. The bottom of the page shows the error code and request ID.
Use the error code and request ID to find the error in the audit log.
In the mobile app, the user can also see token details. Make sure that:
Troubleshoot ADFS
To troubleshoot ADFS, the most useful information is in:
n IIS server log files — For information about user authentication to the RD Web portal
n Event Viewer for Remote Desktop Services — For information about user connections to RD Web
hosted resources
n AuthPoint audit logs — For events for RD Web user authentication
Videos referenced below are in the Multi-Factor Authentication Essentials course. This course is available on the
WatchGuard Portal (login required).
n Partners — Log in to the Learning Center and go to Technical Training > Network Security > Network
Security Essentials.
n End users — Go to the Courseware page in WatchGuard Support Center.
Introduction to AuthPoint
Video:
n Authentication Basics
n Introduction to AuthPoint
Help Center:
AuthPoint Resources
Video:
Help Center:
n About Resources
n RADIUS Client Resources
n Set Up the Logon App
n SAML Resources
n MFA for ADFS
n Certificate Management
n Authentication Basics
Help Center:
n About Authentication
n About Tokens
Help Center:
n User Management
n Add a Group
n Assign Access Policies
AuthPoint Gateway
Video:
Help Center:
n About Gateways
Hardware Tokens
Video:
n Hardware Tokens
Help Center:
Troubleshooting
Video:
n Troubleshooting AuthPoint
Key Concepts
To successfully complete the Multi-Factor Authentication Essentials exam, you must understand these key concepts:
AuthPoint Knowledge
n AuthPoint mobile app
n Resource configuration
n Group and user configuration
n LDAP and RADIUS integration
n Logon app
n Troubleshooting
Exam Description
Content
55 multiple choice (select one option), multiple selection (select more than one option), true/false, and matching
questions
Passing score
75% correct
Time limit
Two hours
Reference material
You cannot look at printed or online materials during the exam.
Test environment
Instructor-Led Training
To get hands-on experience, we recommend that you attend an instructor-led training class. Classes are often held in-
region, sponsored by sales or a local WatchGuard distributor. We also offer complimentary VILT technology-based
training classes for partners. WatchGuard end-users can register for a class in our network of WatchGuard Certified
Training Partners (WCTPs).
The Multi-Factor Authentication Essentials video course is available on the WatchGuard Portal (login required).
n Partners — This course is available in the Learning Center in the Partner Portal.
n End-users — This course is available in the Training & Certification section of WatchGuard Support Center.
Other Resources
Online Help
AuthPoint Help includes detailed information to expand on the principles presented in the Multi-Factor Authentication
training courseware.
For the knowledge categories included in the Assessment Objectives section, we recommend that you review the
corresponding content in the AuthPoint Help system.
General Understand basic multi-factor authentication concepts that are not unique to 10%
AuthPoint.
n MFA basics
n Distinguished names
n Active Directory tools
n SAML roles
n RADIUS communication
n RADIUS client resources
n RADIUS synchronization
n User authentication
n LDAP synchronization
n AuthPoint Gateway
n RADIUS client
Questions
1. Which of these must a RADIUS client have in order to connect to a RADIUS server? (Select two.)
a. The correct IP address known to the RADIUS server
b. The public key of the RADIUS server
c. The shared secret configured on the RADIUS server
d. The certificate of the RADIUS server
e. The administrator account credentials on the RADIUS server
2. How do you specify the domain example.local in an LDAP query? (Select one.)
a. ou=example,dc=local
b. dc=example,ou=local
c. dc=example,dc=local
d. ou=example,ou=local
e. ou="example.local"
3. Which of these authentication factors is the least secure for MFA? (Select one.)
a. Hardware token
b. Software token
c. QR code
d. Push notification
e. SMS
4. You must install the AuthPoint Gateway on an existing RADIUS or LDAP server.
a. True
b. False
5. On the AuthPoint Users page, what does the yellow dot next to a user name indicate? (Select one.)
a. The user account is locked.
b. The user account is blocked.
c. The user account is quarantined.
d. The user forgot their token.
e. The user account is not yet activated.
6. The AuthPoint Gateway functions as both __________ and __________? (Select two.)
a. an LDAP client
b. an LDAP server
c. a RADIUS client
d. a RADIUS server
7. Where do you configure the query AuthPoint uses to synchronize users from an LDAP server? (Select one.)
a. Management > Resources
b. Management > External Identities
c. Management > Gateway
d. General > Download
e. General > Settings
1. a, c
2. c
3. e
4. b (False)
5. c
6. a, d
7. b
8. a (True)
9. b
10. a