Watchguard Training: Multi-Factor Authentication Essentials Study Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 58
At a glance
Powered by AI
The key takeaways are that this study guide provides information to help study for the Multi-Factor Authentication Essentials certification exam. It covers topics like AuthPoint configuration, RADIUS, the AuthPoint mobile app, SAML, and LDAP.

The purpose of this study guide is to help users study for the Multi-Factor Authentication Essentials certification exam. It provides an overview of exam content and sample questions to help prepare users.

Some of the main topics covered in the study guide include Introduction to AuthPoint, AuthPoint Mobile App, AuthPoint Resources, MFA Authentication Methods, AuthPoint Groups and Users, AuthPoint Gateway, Hardware Tokens, and Troubleshooting.

WatchGuard Training

Multi-Factor Authentication Essentials


Study Guide
WatchGuard AuthPoint
Revision Date: October 2019
2 WatchGuard Technologies, Inc.
About This Guide
The Multi-Factor Authentication Essentials Study Guide is a guide to help you study for the Multi-Factor Authentication
Essentials certification exam.

Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Guide revised: 10/17/2019

Copyright, Trademark, and Patent Information


Copyright © 2019 WatchGuard Technologies, Inc. All rights reserved.
All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright,
trademark, and licensing information can be found in the Copyright and Licensing Guide, available online at
http://www.watchguard.com/help/documentation/.

About WatchGuard Address


WatchGuard® Technologies, Inc. is a global leader in network security, 505 Fifth Avenue South
providing best-in-class Unified Threat Management, Next Generation Suite 500
Firewall, secure Wi-Fi, and network intelligence products and services Seattle, WA 98104
to more than 75,000 customers worldwide. The company’s mission is
to make enterprise-grade security accessible to companies of all types
and sizes through simplicity, making WatchGuard an ideal solution for
Support
Distributed Enterprises and SMBs. WatchGuard is headquartered in www.watchguard.com/support
Seattle, Washington, with offices throughout North America, Europe, U.S. and Canada +877.232.3531
Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. All Other Countries +1.206.521.3575
For additional information, promotions and updates, follow WatchGuard
on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company
page. Also, visit our InfoSec blog, Secplicity, for real-time information
Sales
about the latest threats and how to cope with them at U.S. and Canada +1.800.734.9905
www.secplicity.org. All Other Countries +1.206.613.0895

Multi-Factor Authentication Essentials Study Guide 3


How to Use This Study Guide 5
Introduction to AuthPoint 6
AuthPoint Mobile App 11
About AuthPoint Resources 15
MFA Authentication Methods 29
AuthPoint Groups and Users 32
AuthPoint Gateway 40
Hardware Tokens 44
Troubleshooting 45
Additional Resources 50
About the Multi-Factor Authentication Essentials Exam 52

4 WatchGuard Technologies, Inc.


How to Use This Study Guide
This guide is a resource to help you study for the Multi-Factor Authentication Essentials certification exam. Use this
guide in conjunction with instructor-led training, online video training and demos, and the WatchGuard Help Center
documentation to prepare to take the exam.

For a list of recommended documentation and video resources to help you prepare for the exam, see Additional
Resources.

For information about the exam content and format, see About the Multi-Factor Authentication Essentials Exam.

Document Conventions
This document uses these formatting conventions to highlight specific types of information:

This is a key point. It highlights or summarizes the key information in a section.

This is a note. It highlights important or useful information.

This is a best practice. It describes the recommended configuration for an AuthPoint feature.

USE CASE:

This is a use case. It describes how you could configure AuthPoint in a real-world scenario.

This is a caution. Read carefully. There is a risk that you could lose data, compromise system
integrity, or impact device performance if you do not follow instructions or recommendations.

Multi-Factor Authentication Essentials Study Guide 5


Introduction to AuthPoint
Multi-factor authentication (MFA) is an authentication method that requires any combination of something you know
(such as a password), something you have (such as a mobile phone), and something you are (a fingerprint). AuthPoint is
WatchGuard's multi-factor authentication service. With AuthPoint, you can require users to authenticate with a mobile
app or third-party hardware token when they log in to a protected resource, such as a computer, VPN, cloud service, or
application.

A token is something, such as a digital signature or fingerprint, that identifies a user and
associates the user with a device. It is used in addition to, or in place of, a password when the
user logs in to a protected resource. The user activates a token on a device that is used for
authentication, such as a mobile phone. This device is then used to gain access to protected
resources that require multi-factor authentication.

Authentication Protocols
This guide assumes that you have some familiarity with the RADIUS, LDAP, and SAML authentication protocols. For
an overview of how these protocols work, see the Authentication Basics section at the start of the Multi-Factor
Authentication Essentials video course.

The Multi-Factor Authentication Essentials video course is available on the WatchGuard Portal (login required).

n Partners — This course is available in the Learning Center in the Partner Portal.
n End-users — This course is available in the Training & Certification section of WatchGuard Support Center.

MFA Authentication Methods
Users install the AuthPoint mobile app on their phone. Then, when they log in to any protected online service or VPN,
they must authenticate with one of these methods:

n Push Notification — When a user logs in, AuthPoint sends a push notification to the user's mobile device. The
user approves the push notification to authenticate, or denies it to prevent an unauthorized access attempt.
n QR Code — When a user logs in, a QR code appears. The AuthPoint app uses the phone camera to scan the
QR code and displays a verification code, which the user must type to authenticate. AuthPoint uses secure QR
codes that can only be decrypted by the AuthPoint mobile app.
n One-Time Password (OTP) — When a user logs in, the user must provide a unique, temporary password
generated by the AuthPoint app to authenticate.

AuthPoint uses the latest MFA methods to protect your trusted resources from unauthorized access. You can choose
different authentication methods for specific user groups and applications.

6 WatchGuard Technologies, Inc.


AuthPoint Components
AuthPoint has several components:

AuthPoint Management UI
The AuthPoint management UI in WatchGuard Cloud is where you set up and manage users, user groups,
resources, external identities, and the AuthPoint Gateway. Resources are the applications that you define for
use with AuthPoint. External identities connect to user databases to get user account information and validate
passwords. The AuthPoint management UI also provides reports and audit logs to help you monitor
authentication activity and troubleshoot any issues.

AuthPoint Mobile App


The AuthPoint mobile app is required for authentication. Before you can authenticate with AuthPoint, you must
install the AuthPoint mobile app on your mobile device and activate your WatchGuard token. You can use the
AuthPoint mobile app to view and manage your tokens, approve push notifications, get OTPs, and scan QR
codes. You can also enable Token Security to protect your tokens with a PIN or biometric ID. Before you can
use your protected tokens for authentication with any method, you must unlock them with a PIN or your
biometric ID.

The AuthPoint mobile app is not required for OTP authentication with a hardware token. For more
information, see Hardware Tokens.

AuthPoint Gateway
The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint
can securely communicate with your RADIUS clients and LDAP databases. The Gateway operates as a
RADIUS server for RADIUS authentication, and is also used to import LDAP users and validate their
passwords.

The AuthPoint Gateway installer is available on the Downloads page in the AuthPoint management UI.

Logon App
The Logon app is used to require authentication when users log on to a computer or server. This includes
protection for RDP and RD Gateway. The Logon app is also referred to as the AuthPoint Agent for Windows or
Mac. There are two parts to the Logon app: the application you install on a computer or server and the resource
you configure in AuthPoint.

The Logon app installers are available on the Downloads page in the AuthPoint management UI.

AuthPoint Agent for ADFS


Microsoft Active Directory Federation Services (ADFS) is a Windows Server component that provides users
with authenticated access to applications.

With the AuthPoint ADFS agent, you can add MFA to ADFS for additional security. There are three parts to the
AuthPoint agent for ADFS: the agent you install, the Gateway, and the resource you configure in AuthPoint.

The ADFS agent installer is available on the Downloads page in the AuthPoint management UI.

Multi-Factor Authentication Essentials Study Guide 7


AuthPoint Agent for RD Web
Microsoft Remote Desktop Web Access (RD Web) is a web page that shows a list of applications published
from a server. From the web page, authenticated users can launch each application. The AuthPoint agent for RD
Web adds MFA authentication to RD Web Access.

There are two parts to the AuthPoint agent for RD Web: the agent you install and the resource you configure in
AuthPoint.

The RD Web agent installer is available on the Downloads page in the AuthPoint management UI.

AuthPoint Licenses
AuthPoint is a subscription security service. To use AuthPoint, you must activate an AuthPoint license in your
WatchGuard account. The AuthPoint license determines the number of users you can configure to use AuthPoint for
MFA. When you activate your AuthPoint license key, the user licenses are added to your AuthPoint account in
WatchGuard Cloud.

If you are a WatchGuard Cloud Service Provider, you can allocate AuthPoint user licenses to accounts you manage in
WatchGuard Cloud.

AuthPoint Management UI
To set up and manage AuthPoint, you use the AuthPoint management UI in WatchGuard Cloud. To connect to
WatchGuard Cloud, go to cloud.watchguard.com. Log in with your WatchGuard portal credentials.

If you have a Service Provider account, you must click Pivot to Subscriber View on the dashboard to switch to your
Subscriber account before you can configure AuthPoint.

Configure AuthPoint
To configure AuthPoint, select Configure > AuthPoint.

8 WatchGuard Technologies, Inc.


The Summary page shows tiles with summary configuration information.

To configure AuthPoint settings you can click the tile title or click the Management links:

n Resources — Configure the applications and services that your users connect to.
n Groups — Configure user groups, and add access policies that specify which resources users in that group can
authenticate to and which authentication methods they can use (Push, QR code, and OTP).
n Users — Manage AuthPoint users and tokens. You can add users directly in AuthPoint or import LDAP users
from an external authentication server. Each user can only be a member of one AuthPoint group.
n External Identities — Configure the information required for AuthPoint to connect to your Active Directory or
LDAP databases to get user account information and validate passwords.
n Gateway — Configure settings for the AuthPoint Gateway, a lightweight software application that you install on
your network so that AuthPoint can communicate with your RADIUS clients, the AuthPoint agent for ADFS, and
your Active Directory or LDAP database.
n Hardware Tokens — Import hardware tokens and associate them with users.

The items in the AuthPoint management menu are listed in the optimal order to configure them.
We recommend you start at Resources, and work your way down through each item in the list
until your configuration is complete.

Monitor AuthPoint
Use AuthPoint dashboards and reports to monitor AuthPoint activity and status.

To monitor AuthPoint, select Monitor > AuthPoint.

Multi-Factor Authentication Essentials Study Guide 9


In the Monitor section of the AuthPoint management UI, you can see these dashboards and reports:

n User Activity — A bar graph that shows how many times each active user has authenticated, the last time each
inactive user authenticated, and how and when blocked users were blocked.
n Authentication — A bar graph that shows successful and failed authentication attempts for each user. For each
attempt, a list shows the authentication date, the token that was used, the authentication method, and the
resource the user authenticated to.
n Resource Activity — A bar graph of resources that shows successful and failed authentication attempts for
each resource. For each attempt, a list shows which user authenticated, the authentication date, the token that
was used, and the authentication method.
n Denied Push Notifications — A bar graph that shows how many push notifications have been denied by users.

n Activation Activity — Shows a list of user tokens that have not yet been activated.
n Sync Activity — Shows information about the synchronization of your LDAP database if you have added an
external identity.

Audit logs and notifications, available under the Administration menu, provide additional information
about AuthPoint events that can be useful for troubleshooting.

10 WatchGuard Technologies, Inc.


AuthPoint Mobile App
The AuthPoint mobile app supports the Push, QR Code, and OTP authentication methods.

For OTP authentication, you can use a hardware token instead of the AuthPoint mobile app. For
information about hardware tokens, see Hardware Tokens.

To get started, users must install the AuthPoint mobile app on a mobile device and activate an AuthPoint token.

From the AuthPoint mobile app users can:

n Authenticate with MFA:


o Approve a push notification
o Get a one-time password (OTP)
o Scan a QR code

n View and manage tokens:


o Activate a token
o See token details
o Resynchronize a token
o Protect a token with a PIN or biometric ID

The AuthPoint mobile app can contain multiple AuthPoint tokens, and also supports third-party tokens.

If a user has more than one mobile device, the user must activate a unique token for each device.

Multi-Factor Authentication Essentials Study Guide 11


Token Activation
When you add a user to AuthPoint, the user receives an activation email with a link that is used to activate their
software token in the AuthPoint mobile app.

To activate the token the user must:

n Download and install the WatchGuard AuthPoint mobile app on a mobile device
n Click the link in the token activation email

The link in the activation email opens a web page with instructions to activate the token.

The token activation web page

The activated token appears in the AuthPoint mobile app.

An active token in the AuthPoint mobile app

By default, the token name contains the last five digits of the token serial number. We recommend that you rename the
token. This makes each token easier to identify if you activate more than one token.

The six-digit number below the token name is the one-time password (OTP). The red bar below the OTP indicates the
amount of time the OTP is valid.

12 WatchGuard Technologies, Inc.


Authentication with the AuthPoint Mobile App
When AuthPoint users log in to a computer or resource that requires MFA, they type a password, and then use the
AuthPoint mobile app to complete a second authentication method.

Users can use the mobile app to authenticate with these methods:

Push
With the Push authentication method, a push notification appears in the AuthPoint app. To authenticate, in the
AuthPoint app, tap Approve.

QR Code
With the QR Code authentication method, a QR Code appears on the login page. To authenticate, in the
AuthPoint app, tap and scan the QR code from the screen.

One-Time Password (OTP)


With the One-Time Password authentication method, the user must type a one-time password. In the AuthPoint
app, the OTP is the six-digit code that appears below the token. To authenticate, type the current token OTP on
the login page.

For RADIUS authentication, append the OTP to the end of your password. Do not add a space.

Token Management
In the menu for each token, the user can select these options:

n Edit Token — Edit the token image and name.


n Show Token Details — See the token serial number and other token information. This can be useful information
for troubleshooting.
n Sync Token — Synchronize the token time stamp with the AuthPoint cloud server.
n Migrate Token — Removes the token from this device and sends an activation email so that you can activate
the token on another device.
n Delete Token — Remove the token from the AuthPoint mobile app.

Multi-Factor Authentication Essentials Study Guide 13


Token Security

We recommend users enable token security for additional protection in case another person gets
access to the mobile device.

Users can enable token security from the top menu in the AuthPoint mobile app. The token security options are:

PIN Protection
PIN protection is the primary token security method. You create one PIN and choose which tokens to protect
with that PIN. When you enable PIN protection, you must type your PIN before you can authenticate with the
protected tokens.

Biometric Protection
Biometric protection is another method to unlock tokens that have PIN protection enabled. When you enable
biometric protection, you can use a biometric identifier, such as a fingerprint or your face, to unlock any protected
token without the PIN.

If token security is enabled for one or more tokens, you must validate your PIN or use a biometric ID (if enabled) to
unlock a token for authentication or make any changes to the token security settings.

Third-Party Tokens
The AuthPoint mobile app also supports third-party software tokens, such as tokens compatible with Google
Authenticator, for authentication to personal services and applications.

When you set up two-factor or multi-factor authentication with a third-party service, use the AuthPoint QR code reader
to activate a software token in the AuthPoint mobile app. If the third-party service does not provide a QR code, you can
select Manually Activate Token in the AuthPoint mobile app, and then type the token key.

Third-party software tokens that you activate in the AuthPoint app are separate from your WatchGuard tokens. You can
still use your third-party tokens for authentication even if your AuthPoint user account is blocked.

14 WatchGuard Technologies, Inc.


About AuthPoint Resources
In AuthPoint, resources are the applications and services that your users connect to that are protected by AuthPoint
multi-factor authentication (MFA).

AuthPoint supports these resource types:

n RADIUS client — An application or service that uses RADIUS authentication (primarily firewalls and VPNs)
n Logon app — The Logon app resource is used to configure and define access policies for the Logon app
n IdP Portal — A portal page that shows users the SAML resources available to an authenticated user
n SAML — An application or service that uses SAML authentication, such as Office 365, Salesforce, or the
Firebox Access Portal
n ADFS — The ADFS resource is used to add MFA to ADFS authentication
n RD Web — The RD Web resource is used to add MFA to Remote Desktop Web Access (RD Web)

To configure MFA for a resource, add the resource in AuthPoint, then assign an access policy for the resource in a user
group. In a user group, access policies specify which resources require authentication and which authentication method
to use (Push, QR code, OTP) when users in the group connect to each resource.

RADIUS Client Resources


RADIUS client resources represent RADIUS clients. These resources are for applications or services that use
RADIUS authentication (primarily firewalls and VPNs).

To configure MFA for a RADIUS client, you must:

n Configure or set up your RADIUS client.


n Add a RADIUS client resource.
n Download and install the AuthPoint Gateway.
n Add the RADIUS client resource to the configuration for your Gateway.
n Assign an access policy for the RADIUS client resource to one or more AuthPoint groups.

When you add a RADIUS client resource, you must specify the IP address or FQDN of your RADIUS client and you
must choose a shared secret key so that the RADIUS server (AuthPoint Gateway) and the RADIUS client can
communicate.

RADIUS client resources must be linked to an AuthPoint Gateway that is installed on your network. The default port
used by the AuthPoint Gateway (RADIUS server) to communicate with the RADIUS clients is port 1812. If you already
have a RADIUS server installed that uses port 1812 (or 1645), you must use a different port for the AuthPoint Gateway.

You can link more than one RADIUS client resource to a single AuthPoint Gateway.

Multi-Factor Authentication Essentials Study Guide 15


RADIUS Client Example

USE CASE:

An organization wants to enable MFA for user authentication through a Firebox and require MFA for mobile
VPN connections to networks protected by the Firebox.

If you have a Firebox, you can install an AuthPoint Gateway on the network behind the Firebox, and then configure the
Firebox as a RADIUS resource.

RADIUS authentication flow for AuthPoint MFA from a VPN client through a Firebox.

To enable AuthPoint MFA for user authentication to a Firebox, you configure these AuthPoint settings:

n Resource — Specifies the Firebox as a RADIUS client


n Group — Specifies requirements for authentication to the resource for users in the group
n Gateway — Specifies settings for the Firebox to connect to the AuthPoint Gateway

16 WatchGuard Technologies, Inc.


AuthPoint Configuration:

n The RADIUS Client resource for the Firebox specifies the IP address of the Firebox trusted interface and a
shared secret the Firebox will use to connect.

n In the AuthPoint Group, an Access Policy specifies allowed authentication methods for users in the group to
authentication to the Firebox. For more information about groups, see AuthPoint Groups and Users.

Multi-Factor Authentication Essentials Study Guide 17


RADIUS client resources support one MFA method. You cannot enable both Push and OTP methods
at the same time. RADIUS client resources do not support the QR Code authentication method.

n The Gateway configuration includes the Firebox RADIUS resource and specifies the port the Firebox must use
to connect to the AuthPoint Gateway. For information about AuthPoint Gateway configuration, see AuthPoint
Gateway.

Firebox Settings
On the Firebox, in the Authentication Servers settings, a RADIUS server specifies the IP address, port, and shared
secret for connections to the AuthPoint Gateway.

The RADIUS server settings on the Firebox.

18 WatchGuard Technologies, Inc.


On the Firebox authentication portal web page, users can select the AuthPoint RADIUS server.

The Firebox authentication portal web page (https:\\<Firebox trusted interface IP address>:4100).

When a user in the AuthPoint group logs in and selects the AuthPoint server, AuthPoint sends a Push notification to the
user in the AuthPoint app. To authenticate, the user must accept the push notification.

For RADIUS authentication to a resource that requires an OTP, the user must append the OTP to the
end of the password. Do not add a space between the two passwords.

After MFA through the Firebox is working, you can enable MFA for VPN client authentication. To do this, configure
mobile VPN settings to use the AuthPoint RADIUS server, and add the AuthPoint group in the VPN Authentication
settings. In AuthPoint, make sure that the AuthPoint group for the VPN users includes the Firebox resource.

For more details about how to configure this, see Firebox Integration with AuthPoint.

Multi-Factor Authentication Essentials Study Guide 19


Logon App Resources
The Logon app is used to require authentication when users log on to a computer or server. This includes protection for
RDP and RD Gateway. In the logon screen, users must type their password and then choose one of the allowed
methods of authentication (push notification, one-time password, or QR code).

There are two parts to the Logon app:

n The application you install on a computer or server (AuthPoint Agent)


n The resource you configure in AuthPoint

The Logon app adds MFA to Windows and Mac computers.

The authentication flow with the AuthPoint Logon app.

To set up the Logon app, you must:

n Configure a Logon app resource in the AuthPoint management UI.


n Assign access policies for the Logon app resource to your AuthPoint groups.
n Download the installer and the configuration file for the Logon app (these must be saved in the same directory).

When you install the Logon app, the computer must be connected to the Internet before the user logs on for the first
time. This is required so that the Logon app can communicate with AuthPoint to verify the access policy. After the first
successful authentication, the computer stores the most recent access policy locally. This local policy is used when the
user authenticates offline, and it is updated when the computer has an Internet connection.

Because push notifications require Internet access, we recommend that the access policy for the
Logon app includes the QR code or OTP authentication options so users can authenticate when
they are not connected to the Internet.

20 WatchGuard Technologies, Inc.


You can use one Logon app resource to create access policies for every group. You do not need to configure additional
Logon app resources for each computer that the Logon app is installed on, regardless of the OS. If you have only one
Logon app resource, you can use the same configuration file for each installation of the Logon app.

Authenticate with the Logon App


To authenticate and log on, all domain and local users must have an active AuthPoint user account with an access
policy for the Logon app. Users that do not have an AuthPoint user account with an active token cannot authenticate
and log on to a computer with the Logon app installed.

A user must first log in with Windows or Mac credentials. If those credentials are valid, the user must select a second
authentication option.

AuthPoint Sign-in Options

If the computer does not have an Internet connection, the user must select the One Time Password or QR Code
authentication option to authenticate offline.

If the user does not have access to their mobile device, the user can select Forgot Token to start a process for the
administrator to temporarily disable MFA for that user account for a specific amount of time.

Multi-Factor Authentication Essentials Study Guide 21


IdP Portal Resource
The AuthPoint Identity Provider (IdP) portal is a page that shows users a list of SAML resources available to them. To
configure the IdP portal, you add an IdP resource, and then assign it to one or more user groups. When users log in to
the IdP portal, they see the SAML resources they have access to. Users can click an application to open it in a new tab.

Example of an IdP portal with SAML resources.

Users authenticate to the IdP portal. When the user selects a resource, AuthPoint sends the credentials automatically.
If a SAML resource requires a different authentication method than the method used for authentication to the IdP portal,
the user must complete the additional authentication step to access the resource.

Diagram of authentication flow for the IdP Portal resource.

Manually created AuthPoint users can change their passwords on the IdP portal page. User accounts synced from an
Active Directory or LDAP database cannot reset or change their own passwords.

You can configure only one IdP portal resource. Add an access policy for the IdP Portal resource to one or more user
groups. Users in those groups can then log in to the IdP Portal to connect to applications available to them.

22 WatchGuard Technologies, Inc.


SAML Resources
SAML is a method used to exchange information between a service provider and an identity provider. A service provider
is the provider of a third-party service that users connect to, such as Salesforce or Microsoft. An identity provider, such
as AuthPoint, authenticates users when they log in to a service or application.

User authentication with AuthPoint Push authentication to a cloud app with SAML

In AuthPoint, SAML resources connect AuthPoint with a service provider. Add SAML resources and define access
policies for the resources to require that users authenticate before they can connect to services and applications. You
can create a SAML resource for almost every application that is compatible with SAML 2.0.

When you add SAML resources, we recommend that you also add an IdP portal resource. The IdP
portal is a portal page that shows users a list of SAML resources available to them. The IdP portal is
not required for SAML authentication.

For SAML resources, the User ID determines which AuthPoint user attribute is sent to your service provider when a
user authenticates.

To configure MFA for a service provider, you must

n Create an AuthPoint SAML certificate (if you do not have one).


n Configure SAML authentication for your third-party service provider.
n Add a SAML resource in the AuthPoint management UI.
n Assign an access policy for the SAML resource to one or more AuthPoint groups.

Multi-Factor Authentication Essentials Study Guide 23


When you configure SAML authentication for a service provider, you must get the AuthPoint metadata from the
Certificate Management page in the AuthPoint management UI. You use the AuthPoint metadata to configure MFA for
SAML applications on the service provider. The AuthPoint metadata provides your resource with information that is
needed to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity
provider (AuthPoint).

Some service providers require the metadata file to configure authentication, but others only require
the metadata URL. Which one you need depends on the third-party service provider.

When you add a SAML resource in AuthPoint, you must configure these settings:

n Service Provider Entity ID and Assertion Consumer Service — Specify the values from the service provider
of the application.
n User ID — Select the AuthPoint user attribute to send to your service provider when a user authenticates.
n AuthPoint Certificate — Select the AuthPoint certificate to associate with your resource. We recommend that
you choose the certificate with the latest expiration date.

SAML Certificates
From the AuthPoint management UI, you can create and manage the AuthPoint certificates used for SAML
authentication. The AuthPoint certificate provides your resource (service provider) with the information needed to
identify AuthPoint as a trusted identity provider. This is required for SAML authentication.

You must create at least one AuthPoint certificate before you can add a SAML resource. If your account already has
one or more certificates, you only need to create a new certificate when you replace an existing certificate.

You might need to replace a certificate for security reasons or when the expiration date is near.

SAML Resource Example
On a Firebox, the Access Portal provides secure remote access to common web applications that use HTML.

USE CASE:

To increase security for a Firebox Access Portal, you want to enable multi-factor authentication when
users log in to the Access Portal.

You can configure the Access Portal as a SAML resource. In this example, the Firebox Access Portal is the service
provider, and AuthPoint is the identity provider.

24 WatchGuard Technologies, Inc.


On the Firebox, in the Access Portal configuration, the SAML settings include:

n Service provider settings:


o IdP Name — The authentication server name that appears to users who authenticate to the portal.
o Host Name — An FQDN that resolves to the external interface of the Firebox.

n Identity provider settings:


o IdP Metadata URL — Metadata URL of an AuthPoint SAML certificate copied from the Certificate

Management page in your AuthPoint account.

After you enable SAML for the Access Portal, the Firebox hosts a configuration page that includes information and a
certificate for SAML integration: http://[Host name or IP address for Firebox SAML]/auth/saml.

The SAML configuration page on the Firebox includes:

n Service Provider Entity ID — Copy and paste this to the SAML resource in AuthPoint.
n Assertion Consumer Service — Copy and paste this to the SAML resource in AuthPoint.
n Logout URL — Copy and paste this to the SAML resource in AuthPoint.
n Certificate file — Download this file, and then upload it to the SAML resource in AuthPoint.

Use this information and the certificate file to configure the SAML resource in AuthPoint. In the SAML resource, you
must also select the AuthPoint certificate associated with the IdP Metadata URL you configured in the SAML settings
for the Access Portal on the Firebox.

Example SAML resource for the Firebox Access Portal

After you add the SAML resource, add it to one or more user groups. Users in those groups must then use a configured
option to authenticate to the Access Portal.

For detailed instructions to set up this integration, see Firebox Access Portal Integration with AuthPoint.

Multi-Factor Authentication Essentials Study Guide 25


SAML Integration Guides
The steps to set up a service provider to use AuthPoint for MFA vary for each application. When you add a SAML
resource, you select the Application Type. In the SAML resource configuration page you can click the Integration
Guide link to open an integration guide with the steps to set up the selected application type.

Screen shot of a SAML resource with the Integration Guide link.

26 WatchGuard Technologies, Inc.


ADFS Resource
Active Directory Federation Services (ADFS) is a single sign-on solution for Active Directory that enables users to log in
to external systems and applications with their Active Directory credentials. Like AuthPoint, ADFS is an identity
provider. For additional security, you can configure AuthPoint to add multi-factor authentication to ADFS. To do this,
you add an ADFS resource in the AuthPoint management UI and install the ADFS agent on your ADFS server.

When you configure the AuthPoint ADFS agent, the ADFS Server validates the user password, and then sends a
request to AuthPoint for MFA.

Diagram of authentication flow with ADFS and the AuthPoint ADFS agent

To configure MFA for ADFS, you must:

n Add an ADFS resource.


n Download and install the AuthPoint Gateway.
n Add the ADFS resource to the configuration for your Gateway.
n Download and install the AuthPoint ADFS agent.
n Enable MFA for groups in ADFS.
n Assign an access policy for the ADFS resource to one or more AuthPoint groups.

The AuthPoint Gateway must be installed and available when you install the ADFS agent. The
Gateway is the point of communication between AuthPoint and your ADFS server.

After you install the ADFS agent, enable MFA in ADFS for one or more groups. MFA works only for the users that are a
member of the ADFS groups that you select and a member of the AuthPoint groups with an access policy for the ADFS
resource.

With the ADFS agent configured, users must authenticate when they access your organization's web applications.
When users navigate to a web application, they are redirected to the ADFS SSO page where they must provide their AD
credentials and authenticate with MFA.

Multi-Factor Authentication Essentials Study Guide 27


RD Web Resource
RD Web (Remote Desktop Web Access) is a portal that enables users to download applications to run software
remotely through the RD Gateway. The AuthPoint agent for RD Web adds the protection of multi-factor authentication
to RD Web. When a user types their user name and password on the RD Web page, the agent directs the request to
AuthPoint. The single sign-on page loads with available authentication options based on the access policy for the
AuthPoint group the user belongs to.

Diagram of authentication flow for RD Web with AuthPoint

When you configure an RD Web resource in the AuthPoint management UI, you must select an AuthPoint identity
provider certificate to use for SAML authentication. This is for SAML applications that support RD Web.

RD Web Server Requirements


To install the AuthPoint agent for RD Web, the RD Web server must meet these requirements:

n Microsoft .NET Framework — Version 4.7.2 or higher installed


n Operating System — Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

RD Web Authentication
The AuthPoint RD Web resource enables MFA for user authentication to the RD Web Access portal.

From the RD Web access portal, users download applications for remote access to computers and applications. Users
can run those applications without a connection to the RD Web access portal. When a user runs a downloaded RD Web
application, the user does not connect to the RD Web portal again, and MFA is not required.

To require MFA when users connect to a remote desktop through an RD Web application, install the
AuthPoint Agent on the remote computer that the RD Web application connects to.

28 WatchGuard Technologies, Inc.


MFA Authentication Methods
Multi-factor authentication is any combination of something you know (such as a password), something you have (such
as a mobile phone), and something you are (a fingerprint). With AuthPoint MFA, each user installs the AuthPoint app on
a mobile device, and activates a token. The user can then use the app to authenticate with the Push, QR Code, or One-
Time Password (OTP) authentication methods:

When a user tries to log in to a resource that requires authentication, the AuthPoint single sign-on (SSO) page appears.
To log in, the user types their AuthPoint password (if required) and chooses an authentication method.

The authentication methods available depend on the access policies assigned to your user group.
Some resources might require specific authentication methods, or allow only certain methods.

When a user authenticates, the web browser creates a session and remembers the user. While the user session is
active, the user does not need to authenticate again for SAML resources, RD Web resources, or the IdP portal unless
the resource requires a more secure authentication method.

From most secure to least secure, the authentication methods are:

1. Push notification and QR code


2. One-time password
3. Password

For example, if you use a password and an OTP to log in to the IdP portal, you can then log in without authentication to
any resource that has OTP as an allowed authentication option or that requires only a password.

The table below shows when an authenticated user must reauthenticate.

User Previously Access Policy for


Authenticated With Resource Authentication Action

Password Password Log in without authentication

Password Password + OTP, QR User must authenticate with OTP, QR code, or Push
code, or Push (no password required)

OTP Password or OTP Log in without authentication

OTP Password + QR code or User must authenticate again with QR code or Push
Push (no password required)

OTP OTP, QR code, or Push Log in without authentication

QR Code or Push Any Log in without authentication

Multi-Factor Authentication Essentials Study Guide 29


Authentication Methods
Push Authentication

For push authentication, AuthPoint sends a push notification to your phone. You can either tap Approve to
authenticate and get access to your applications, or tap Deny to prevent an access attempt that was not made
by you.

If your token is protected by Token Security, the AuthPoint app opens and prompts you to unlock your token with
a biometric ID or a PIN when you try to approve a push notification. After you validate, you can approve or deny
the push notification.

QR Code

A QR code is a square barcode that your phone can scan to read stored data. AuthPoint uses secure QR codes
to provide you with a verification code for authentication. Only the built-in AuthPoint app QR code reader can
decrypt AuthPoint QR codes.

RADIUS client resources cannot use the QR code authentication option.

One-Time Password

An OTP is a unique, temporary password that is only valid for a short time. OTPs are used in addition to your
normal password for authentication. On the Token Management page of the AuthPoint app, you can see the OTP
for each token and how long the OTP is valid. The OTP for protected tokens is hidden until you unlock your
tokens.

About Tokens
A token is something that contains information used to prove identity, like a digital signature or fingerprint. You activate
or install a token on a device used for authentication (known as an authenticator). You can then use this device to gain
access to protected resources that require MFA.

To confirm your identity when you authenticate, you must prove that you have possession of the authenticator, or token,
assigned to you.

AuthPoint supports two types of tokens:

Software Tokens
A software token is a token that you activate and install with the AuthPoint app on your mobile device.

When you create a user in AuthPoint, a software token is automatically created for them. The user receives an
email with instructions to download the AuthPoint mobile app and activate the token on a single mobile device.
The activation code is valid for seven days.

If a user has more than one device, the user must activate a separate token for each device.

Hardware Tokens
A hardware token is a physical device with a built-in token. You can use third-party hardware tokens with
AuthPoint multi-factor authentication. To assign hardware tokens to users, you must buy supported hardware
tokens from a vendor and import the tokens to AuthPoint. For more information, see Hardware Tokens.

30 WatchGuard Technologies, Inc.


Each AuthPoint user can have up to 20 software tokens and any number of hardware tokens. Before a user can
authenticate with AuthPoint, they must have at least one active hardware or software token.

Block Users and Tokens


An active token is required for a user to authenticate. Each active token is associated with a specific device. On the
Users page, you can manage your AuthPoint users and the tokens assigned to them.

There are two ways to prevent authentication:

Block a User
Block a user to prevent authentication with any of the user's WatchGuard tokens on any mobile device. A
blocked user can still use their third-party tokens, such as Google Authenticator, to authenticate with third-party
resources.

USE CASE:

A user leaves your organization or their user account has been compromised in some way. To block
authentication with any WatchGuard token for that user, you can block the user.

Block a Token
Block a token to prevent user authentication with a specific token. While a token is blocked, the user can still
authenticate with other active tokens.

USE CASE:

A user loses their phone. To block authentication from that device, you can block the token activated for
that device. If the user has an active token on another device, the user can still authenticate with the other
active token. If the user finds their phone, you can activate the token so the user can use it again for
authentication from that device.

Multi-Factor Authentication Essentials Study Guide 31


AuthPoint Groups and Users
AuthPoint groups define the authentication requirements for user access to AuthPoint resources.

In the AuthPoint management UI, use these pages to manage groups and users:

Groups page — Manage AuthPoint groups and access policies


In AuthPoint, groups define which resources users in the group have access to and which authentication
methods they can use (Push, QR code, and OTP).

Users page — Manage AuthPoint users and tokens


Manually add and edit AuthPoint users, and see imported users. Manage tokens for both manually added and
imported AuthPoint users.

External Identities page — Synchronize users from an external database


Import users from an Active Directory or LDAP database, and assign those users to an AuthPoint group.

Each user can only be a member of one AuthPoint group. You must add at least one AuthPoint group
before you add or import users.

Groups
In AuthPoint, groups define what resources your users have access to. In each group, you configure access policies to
specify which resources users in that group can authenticate to and which authentication methods they can use (Push,
QR code, and OTP).

32 WatchGuard Technologies, Inc.


You do not need to recreate your entire group directory structure in AuthPoint. When you import users, you assign the
users to an AuthPoint group.

Access Policies
When you edit a group, you can configure access policies with authentication options for each resource.

Example group with access policies for several different types of resources.

In each access policy, you choose whether to require a password, and select allowed authentication options.

Example policy for a SAML resource.

If you select more than one authentication option for a resource, users must choose one of the available options when
they authenticate to that resource. For example, if you select OTP and Push, users can choose whether to type their
OTP or approve a push to authenticate, but you cannot require that they do both.

Multi-Factor Authentication Essentials Study Guide 33


Safe Locations
For each group, you can also configure safe locations. Safe locations are public IP addresses that are considered safe.

Example of safe locations added to a group.

If a user logs in to a resource from a computer that uses a public IP address identified as a safe location for their group,
the user is not required to use MFA. Users in a safe location can log in with only a user name and password.

Users
For a user to use AuthPoint, you must create an AuthPoint user in your account and select the group the user belongs
to. Each AuthPoint user account requires one AuthPoint user license. When you add a user, the user is assigned a
token. The user receives an email with instructions to activate the token in the AuthPoint app.

Each user must be a member of an AuthPoint group. For this reason, you must add at least one
group before you can add users to AuthPoint.

There are two ways to add AuthPoint user accounts:

n Add users manually


n Synchronize users from Active Directory or LDAP

Add Users Manually


You can add users manually on the Users page in the AuthPoint management UI.

Because you can create only one user at a time, you most commonly add users manually when you
want to create test users or need to add only a small number of users.

Unlike users synchronized from an external Active Directory or an LDAP database, users that you create manually in
AuthPoint define and manage their own AuthPoint password.

34 WatchGuard Technologies, Inc.


When you manually create a user account, AuthPoint sends the end user two emails:

n An email to set their AuthPoint password


n An email to activate their AuthPoint token

From the Users page, you can also resend these emails, if needed.

Sync Users from Active Directory or LDAP


You can synchronize users from an Active Directory or a Lightweight Directory Access Protocol (LDAP) database. This
is a quick way to add users already defined on your network. AuthPoint integrates with your domain controller to keep
the user accounts in sync.

Diagram of LDAP user import, and authentication workflow.

To synchronize users, you must install an AuthPoint Gateway. The AuthPoint Gateway connects to a domain controller
to import users from an Active Directory or LDAP database. The AuthPoint Gateway is also required to validate user
credentials when users authenticate.

For more information about gateway configuration, see AuthPoint Gateway.

AuthPoint does not store user passwords for synchronized LDAP or Active Directory users.
When a synchronized user authenticates, AuthPoint sends the LDAP credentials to the domain
controller for validation. After the domain controller validates the credentials, AuthPoint handles
any other authentication options specified in the access policy for the user group.

Multi-Factor Authentication Essentials Study Guide 35


To configure AuthPoint to synchronize users from an Active Directory or LDAP database, you must add an external
identity, and create one or more queries:

External identity
An external identity specifies settings required for AuthPoint to connect to an external user database. For
AuthPoint to connect to the external database, you must also link this external identity to an AuthPoint Gateway.

Queries
For each external identity, queries specify which users to sync. The AuthPoint Gateway uses the queries to
request user information from the external user database and create AuthPoint users for the users that match the
query. For each LDAP query, you specify which AuthPoint group you want the users to be a member of.

Before you can sync users, you must add the external identity to the configuration for a Gateway,
You must install the AuthPoint Gateway on your corporate network in a location that has Internet
access and that can connect to your LDAP server.

For each external identity you can add queries, check the connection, or start a manual synchronization.

There are two query types:

n Group Sync — Select the LDAP groups you want to sync users from. AuthPoint creates the query for you
based on the group you choose. This is the simpler option, and is recommended.
n Advanced Query — Create your own LDAP queries to specify which groups or users to sync.

36 WatchGuard Technologies, Inc.


You can add multiple queries. To add a query or to see the list of configured queries, select the query type.

Before you sync users, make sure that each user in your external user database has a valid email
address. Users must have an email address so that AuthPoint can send a token activation email.
LDAP users without a user name, first name, or email address are not included in the
synchronization.

After you add a query to find your users, AuthPoint syncs with your Active Directory or LDAP database at the next
synchronization interval and creates an AuthPoint user account for each user identified by the query. From the External
Identities page, you can also manually start a synchronization. On the Users page, you can identify users synced from
an external identity by the LDAP tag next to their user name.

Multi-Factor Authentication Essentials Study Guide 37


Monitor User and Token Status
On the Users page you can see your AuthPoint users and the details for each user account.

The User Name column shows the status of the user account:

User
Status Definition

Activated The user account is activated and can authenticate with any active tokens.

Quarantined The LDAP synced user account cannot authenticate because the LDAP user was moved or
deleted, the external identity was deleted, or other domain information was changed.

Blocked The user cannot authenticate with any WatchGuard tokens on any mobile device. The user can
still use third-party tokens, such as Google Authenticator, to authenticate with third-party
resources.

The Token column shows the status of the user's tokens:

Token
Status Definition

Pending The token has not been activated by the user.

Activated The token has been activated and can be used for authentication.

Blocked The token is blocked and the user cannot authenticate with that token. The user can still use other
active WatchGuard tokens, if they have any, to authenticate.

38 WatchGuard Technologies, Inc.


Quarantined Users
If you move or delete a user account in your LDAP database, the linked AuthPoint user account is marked Quarantined.
Quarantined user accounts display a yellow icon next to their user name in the users list.

An AuthPoint user account can also be quarantined if the External Identity was deleted or other
domain information changed.

Users with quarantined user accounts cannot authenticate until you restore or move them back to the original location in
the LDAP database. If you moved or deleted the user account intentionally, the quarantined account remains in
AuthPoint until you manually delete it in AuthPoint.

To delete an LDAP user in AuthPoint, the best practice is to remove the user from the AD or LDAP
group to give them the Quarantine status in AuthPoint, then delete the user in AuthPoint.

Multi-Factor Authentication Essentials Study Guide 39


AuthPoint Gateway
The AuthPoint Gateway is a lightweight software application that you install on your network so that AuthPoint can
communicate with your RADIUS clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database.
The Gateway operates as a RADIUS server for RADIUS authentication, and can also import LDAP users and validate
their passwords.

Diagram of communications through the AuthPoint Gateway

The Gateway provides a secure link between the AuthPoint service in the cloud and the local authentication services
and clients on your network. The Gateway makes a secure connection to AuthPoint for user synchronization and
authentication requests.

Install a Gateway on a computer on your network for integration with:

RADIUS
The Gateway is a RADIUS server that can accept authentication requests from RADIUS clients.

LDAP
The Gateway imports users from the domain controller. The Gateway also validates user credentials each time
an LDAP user logs in to an AuthPoint resource that requires a password.

ADFS
The gateway communicates with an installed AuthPoint ADFS agent to enable MFA for an existing
ADFS deployment.

Each gateway can communicate with RADIUS, LDAP, and ADFS resources. You can also configure multiple
Gateways for the same resources for high availability.

40 WatchGuard Technologies, Inc.


Configure an AuthPoint Gateway
From the Gateway page in the AuthPoint management UI, you can add a Gateway. When you configure a Gateway,
you select RADIUS resources, ADFS resources, and LDAP external entities you want the gateway to communicate
with.

The Add Gateway page where you add resources.

You cannot select the same LDAP external identity in more than one AuthPoint Gateway.

In the Gateway configuration you can specify the RADIUS port. The default port used by the Gateway (RADIUS server)
to communicate with the RADIUS clients is port 1812. If you already have a RADIUS server installed that uses port
1812 (or 1645), you must use a different port for the AuthPoint Gateway.

After you add the Gateway, copy the registration key, which is required to install the Gateway.

Multi-Factor Authentication Essentials Study Guide 41


The Gateway registration key is a one-time use key. If your Gateway installation fails, you must
generate a new registration key before you try to install the Gateway again.

Install the Gateway Software


Before you install the AuthPoint Gateway, make sure that:

n The computer you will install the Gateway on has Internet access.
n The computer you will install the Gateway on can communicate with your RADIUS clients and Active Directory
or LDAP database.
n You have the registration key for your Gateway.

When you install the AuthPoint Gateway, you must provide the Gateway registration key. The key is used to register
the Gateway and enables WatchGuard Cloud (AuthPoint) to identify and communicate with the installed Gateway. The
installer connects to your AuthPoint account and downloads the Gateway configuration.

The Gateway runs as four services. The Gateway service handles connections to your AuthPoint account in the cloud
and sends configuration settings to the other three services. The other three services handle RADIUS, ADFS, and
LDAP communication on the local network.

Monitor Gateway Status


On the Gateway page, you can see the status of Gateway(s) you have configured and the version of Gateway software
that is installed.

The status icon next to the name of a Gateway indicates the status of the Gateway:
— The Gateway is installed and can communicate with WatchGuard Cloud
— The Gateway is not installed
— The Gateway is not connected and cannot communicate with WatchGuard Cloud

If needed, you can regenerate the registration key needed to install the Gateway.

Gateway High Availability

AuthPoint Gateways support high availability. In a high availability Gateway configuration:

n AuthPoint uses only the primary Gateway to synchronize users with the domain controller.
n AuthPoint uses one gateway at a time for user authentication requests to a domain.
controller. It uses a secondary Gateway only when the primary Gateway is not available.
n Both primary and secondary gateways process RADIUS authentication requests.

42 WatchGuard Technologies, Inc.


For each primary Gateway that you configure, you can configure up to five secondary Gateways to enable high
availability.

Primary Gateway
The primary Gateway synchronizes your LDAP users and enables RADIUS authentication and LDAP user
authentication. This Gateway is the primary point of communication between AuthPoint and your RADIUS
clients, the AuthPoint agent for ADFS, and your Active Directory or LDAP database.

Secondary Gateway
You can configure secondary Gateways as a failover for LDAP user authentication. When your primary Gateway
is not available, AuthPoint automatically sends LDAP user authentications through the secondary Gateway until
the primary Gateway becomes available again.

You can also use secondary Gateways as a backup RADIUS server. The only limitation is that the third-party
software or device that sends authentication requests to the Gateway must support the use of additional
RADIUS servers. Both primary and secondary Gateways process authentication requests from RADIUS
clients.

Diagram of a primary and a secondary Gateway configured for high availability.

To provide high availability for AuthPoint MFA through a Firebox, you can configure the Firebox to use
a primary and backup RADIUS server.

Multi-Factor Authentication Essentials Study Guide 43


Hardware Tokens
In addition to software tokens, AuthPoint also supports hardware tokens for authentication with an OTP. A hardware
token is a physical device with a built-in token.

To use third-party hardware tokens with AuthPoint multi-factor authentication you must:

n Buy supported hardware tokens from a vendor.


n Import hardware tokens to AuthPoint.
n Assign hardware tokens to users.
n Activate hardware tokens.

Each AuthPoint user can have up to 20 software tokens and any number hardware tokens.

Third-party hardware token requirements:

n Response Format — Six-digit time-based OTP that includes only numbers with a 30 or 60 second time interval
n Algorithm — OATH time-based OTP (RFC 6238)
n Seed Delivery — OATH PSKC file (RFC 6030)

Manage Hardware Tokens


When you import third-party hardware tokens into AuthPoint, you must upload the seed file and provide a key.

n Seed File — The seed file is a Portable Symmetric Key Container (PSKC) file that is used to import hardware
token information into AuthPoint. This file contains device information for each hardware token. The accepted file
types for a seed file are .XML, .PSKC, .TXT, and .VIP.
n Key — The key is used to decrypt the seed file so AuthPoint can validate the one-time passwords (OTPs) that
the hardware tokens generate. The key can be a string of characters that you type in AuthPoint or a file that you
upload. The accepted file types for a key file are .TXT and .BIN. You receive the seed file and key from your
hardware token vendor. You use the key to decrypt the keys in the seed file.

After you import third-party hardware tokens, you can assign each token to an AuthPoint user, and then activate the
token.

Authenticate with a Hardware Token


You can use hardware tokens to authenticate with an OTP. You authenticate with hardware tokens the same way you
authenticate with the software tokens on your mobile device. When you access a resource that requires authentication,
select the option to authenticate with OTP and type the OTP shown on your hardware token.

44 WatchGuard Technologies, Inc.


Troubleshooting
If authentication does not work as expected, or if a failure occurs, you can use reports, alerts, and audit logs to
troubleshoot the issue. To get started, consider all the steps involved with the authentication flow, based on the
configured resource type and access rules. Then, start from the end of the authentication flow and work your way back.

Here are some examples of things to check:

n Did the user receive a push notification? (if push authentication was configured)
n Is there an audit log for the authentication attempt?
n For authentication flows that require the Gateway, what do the Gateway logs say?

Steps to troubleshoot specific AuthPoint issues depend on the type of problem, and which AuthPoint and external
components are involved in the authentication flow. Some AuthPoint components, such as the Gateway, have local log
files that are useful for troubleshooting.

Troubleshooting Tools
To troubleshoot most AuthPoint issues, start by looking at AuthPoint reports, audit logs, and alerts.

Audit logs are often a useful starting point for troubleshooting AuthPoint issues.

Multi-Factor Authentication Essentials Study Guide 45


Start most troubleshooting by looking at the information available in WatchGuard Cloud and the AuthPoint Gateway.

AuthPoint Reports
Reports show information about AuthPoint activity and events. Some useful reports for troubleshooting include:

n Denied Push Notifications — See if the user denied a push notification


n Resource Activity — See which resources users are failing to authenticate to
n Authentication — See authentication failures for each user
n Sync Activity — See the LDAP user synchronization history
For more information about reports, see Introduction to AuthPoint.

Alerts
WatchGuard Cloud generates alerts for events based on notification rules. For example, you see an alert when a
Gateway connects or disconnects, and when a user denies a push authentication request. You can add
notification rules to generate other types of alerts.

Audit Logs
Audit logs show events related to management actions, configuration changes, and AuthPoint events. For
authentication events, the audit log detail shows all the details about the authentication attempt.

You can use the detail from audit logs to match log messages for events on the Gateway or in authentication
error messages in the IdP Portal or Logon app for Windows or Mac.

Gateway Log Files


For authentication types that involve the AuthPoint Gateway, look at log files on the Gateway. Log messages
include information about Gateway operations, and connections to RADIUS, LDAP, and ADFS. The Gateway
runs as four services: Gateway, RADIUS, LDAP, and ADFS.

Each service creates a log file. Log messages include the user name and request ID, which can be useful to
match a log message to an associated AuthPoint audit log event or error message.

46 WatchGuard Technologies, Inc.


Troubleshooting Tips
Here are some tips to troubleshoot issues with specific types of authentication or AuthPoint components. In most
cases, try to find the error codes and request ID associated with the error. You can then use that information to search
the Audit log and log messages.

Troubleshoot the AuthPoint Gateway


The AuthPoint Gateway runs as four services.

n Gateway — Communicates with WatchGuard Cloud and configures the other three services
n RADIUS — Communicates with RADIUS clients
n LDAP — Communicates with LDAP
n ADFS — Communicates with ADFS
Use the Windows Services app to verify that all four services are running. In the Services app, the four running
services look like this:

If a service is not running, use Windows Event Viewer to see when services stopped and started.

The Gateway service must be started and running correctly before the other services will start. If the Gateway
service is unable to connect to the cloud, or is unable to start for some reason, the other services will hang as
they wait for configuration files that never arrive. If you successfully restart the Gateway service, you must also
restart the other services after the Gateway service is running properly again.

Troubleshoot RADIUS Authentication


Look at log messages and error messages:

n Audit logs in WatchGuard Cloud


n RADIUS logs on the AuthPoint Gateway
n RADIUS client error messages
n Firebox log messages — If the Firebox is configured as a RADIUS client, search Firebox log messages for
user authentication events, and connection errors between the Firebox and the AuthPoint Gateway.
Other things to try:

n Make sure the RADIUS port is open on the server on which the Gateway is installed. The port is not open by
default. If the port is open, make sure it is not used by anything else on that server, which would cause a
conflict with the Gateway.
n Do a pcap between the Gateway and the RADIUS client to examine the traffic and identify errors.

Multi-Factor Authentication Essentials Study Guide 47


Troubleshoot LDAP Authentication
Look at log messages:

n In the LDAP logs on the Gateway, look for:


o Connectivity test results
o Synchronization events
o User authentication requests
o Errors with connections to the domain controller

n In the WatchGuard Cloud audit logs, look for:


o LDAP external identity configuration changes
o LDAP user synchronization errors

Other things to try:

n If the Gateway is installed on a different server than the LDAP/AD server, do a pcap between the Gateway
and the LDAP/AD server to verify that an LDAP response comes back.

Troubleshoot AuthPoint Agents for Windows and Mac


When an authentication error occurs, an error message might appear on the login page. The error message
includes the error code and request ID. Use the error code and request ID to find the error in the audit log.

Troubleshoot IdP Portal
To troubleshoot the IdP portal, ask the user for information about login errors. When authentication fails, an error
message appears on the login page. The bottom of the page shows the error code and request ID.

Use the error code and request ID to find the error in the audit log.

Troubleshoot AuthPoint Mobile App


To troubleshoot the mobile app, ask the user for information about login errors. When an authentication error
occurs, the mobile device shows an error message that includes the error code. Errors are useful for
troubleshooting, because you can look for the error code in the audit log.

In the mobile app, the user can also see token details. Make sure that:

n Push Status is Registered.


n Time Reference is the correct time.
If needed, the user can select the Sync Token option to resynchronize the time and status of a token with the
server.

Troubleshoot ADFS
To troubleshoot ADFS, the most useful information is in:

n Event viewer on the computer where the ADFS Agent is installed


n Audit logs in WatchGuard Cloud
Less useful information is in:

n ADFS log file on the AuthPoint Gateway


n ADFS agent log file

48 WatchGuard Technologies, Inc.


Troubleshoot RD Web
The AuthPoint Agent for RD Web runs as a service on the RD Web server. Make sure the WatchGuard
AuthPoint RD Web Core service is running.

The most useful tools include:

n IIS server log files — For information about user authentication to the RD Web portal
n Event Viewer for Remote Desktop Services — For information about user connections to RD Web
hosted resources
n AuthPoint audit logs — For events for RD Web user authentication

Multi-Factor Authentication Essentials Study Guide 49


Additional Resources
This guide provides a summary of the basic information covered in training classes, videos, and product documentation.
To increase your skills and knowledge, we recommend that you get hands-on practice with the products and review
other technical resources. This appendix provides a list of additional resources but you should explore the product
documentation for additional details beyond the suggested topics.

Videos referenced below are in the Multi-Factor Authentication Essentials course. This course is available on the
WatchGuard Portal (login required).

To see the videos:

n Partners — Log in to the Learning Center and go to Technical Training > Network Security > Network
Security Essentials.
n End users — Go to the Courseware page in WatchGuard Support Center.

You can find AuthPoint Help in the WatchGuard Help Center.

Introduction to AuthPoint
Video:

n Authentication Basics
n Introduction to AuthPoint

Help Center:

n Quick Start — Set Up AuthPoint


n AuthPoint Deployment Guide

AuthPoint Mobile App


Help Center:

n Activate a Software Token


n AuthPoint for End-Users

AuthPoint Resources
Video:

n AuthPoint Basic Resources — RADIUS Client, Logon App, IdP Portal


n AuthPoint Advanced Resources — SAML, ADFS, RD Web

Help Center:

n About Resources
n RADIUS Client Resources
n Set Up the Logon App
n SAML Resources
n MFA for ADFS
n Certificate Management

50 WatchGuard Technologies, Inc.


MFA Authentication Methods
Video:

n Authentication Basics

Help Center:

n About Authentication
n About Tokens

Groups and Users


Video:

n AuthPoint Users and Groups

Help Center:

n User Management
n Add a Group
n Assign Access Policies

AuthPoint Gateway
Video:

n AuthPoint and LDAP


n AuthPoint Gateway

Help Center:

n About Gateways

Hardware Tokens
Video:

n Hardware Tokens

Help Center:

n Third-Party Hardware Tokens


n User Management

Troubleshooting
Video:

n Troubleshooting AuthPoint

Multi-Factor Authentication Essentials Study Guide 51


About the Multi-Factor Authentication Essentials
Exam
The Multi-Factor Authentication Essentials exam tests your knowledge of the basic concepts of multi-factor
authentication and how to configure and manage multi-factor authentication and resources with WatchGuard AuthPoint.
This exam is appropriate for network administrators who have experience configuring and managing AuthPoint.

Key Concepts
To successfully complete the Multi-Factor Authentication Essentials exam, you must understand these key concepts:

AuthPoint Knowledge
n AuthPoint mobile app
n Resource configuration
n Group and user configuration
n LDAP and RADIUS integration
n Logon app
n Troubleshooting

General Authentication and Security Knowledge


n LDAP
n RADIUS
n SAML

Exam Description
Content
55 multiple choice (select one option), multiple selection (select more than one option), true/false, and matching
questions

Passing score
75% correct

Time limit
Two hours

Reference material
You cannot look at printed or online materials during the exam.

Test environment

This is a proctored exam, with two location testing options:


n Kryterion testing center
n Online, with virtual proctoring through an approved webcam

52 WatchGuard Technologies, Inc.


Prerequisites
The Multi-Factor Authentication video course or instructor-led course is recommended, but not required.

Prepare for the Exam


WatchGuard provides training and online courseware to help you prepare for the Multi-Factor Authentication Essentials
Exam. In addition to the training and courseware described in this document, we strongly recommend that you configure
and use AuthPoint multi-factor authentication before you begin the exam.

Instructor-Led Training
To get hands-on experience, we recommend that you attend an instructor-led training class. Classes are often held in-
region, sponsored by sales or a local WatchGuard distributor. We also offer complimentary VILT technology-based
training classes for partners. WatchGuard end-users can register for a class in our network of WatchGuard Certified
Training Partners (WCTPs).

n Partners — Register for training here (login required)


n End-users — View the current WCTP training schedule on the WatchGuard website

Self-Study Course (Video)


WatchGuard offers video-based courseware that you can use for self-study, or to reinforce instructor-led training. To
prepare for this exam, review the Multi-Factor Authentication Essentials course.

The Multi-Factor Authentication Essentials video course is available on the WatchGuard Portal (login required).

n Partners — This course is available in the Learning Center in the Partner Portal.
n End-users — This course is available in the Training & Certification section of WatchGuard Support Center.

Other Resources
Online Help

AuthPoint Help includes detailed information to expand on the principles presented in the Multi-Factor Authentication
training courseware.

For the knowledge categories included in the Assessment Objectives section, we recommend that you review the
corresponding content in the AuthPoint Help system.

You can find AuthPoint Help in the WatchGuard Help Center.

Multi-Factor Authentication Essentials Study Guide 53


Assessment Objectives
The Multi-Factor Authentication Essentials Exam evaluates your knowledge of the categories in the subsequent list.
For each knowledge category assessed in this exam, the Weight column includes the approximate percentage of exam
questions from that knowledge category. Because some exam questions require skills or knowledge from more than
one category, the weights do not exactly correspond to the percentage of exam questions.

Category Knowledge Areas Weight

General Understand basic multi-factor authentication concepts that are not unique to 10%
AuthPoint.

n MFA basics
n Distinguished names
n Active Directory tools
n SAML roles

AuthPoint Understand how to set up AuthPoint. 25%


Configuration
n AuthPoint Gateway
n AuthPoint resources
n AuthPoint groups and users

RADIUS Understand how to configure RADIUS authentication. 10%

n RADIUS communication
n RADIUS client resources
n RADIUS synchronization

Logon App Understand how to configure the Logon app. 15%

n Logon app setup


n Logon app resources
n Logon app access policy
n Logon app MFA options

SAML Understand how to configure SAML authentication. 15%

n SAML resource configuration


n SAML applications
n SAML and AuthPoint integration

LDAP Understand LDAP user databases. 15%

n AuthPoint external identity


n LDAP synchronization
n LDAP user management

Troubleshooting Understand how to troubleshoot AuthPoint. 10%

n User authentication
n LDAP synchronization
n AuthPoint Gateway
n RADIUS client

54 WatchGuard Technologies, Inc.


Sample Exam Questions
The Multi-Factor Authentication Essentials exam includes multiple choice, multiple selection, true/false, and matching
questions. This section provides examples of the types of questions to expect on the exam. Answers to each question
appear on the last page.

Questions
1. Which of these must a RADIUS client have in order to connect to a RADIUS server? (Select two.)
a. The correct IP address known to the RADIUS server
b. The public key of the RADIUS server
c. The shared secret configured on the RADIUS server
d. The certificate of the RADIUS server
e. The administrator account credentials on the RADIUS server
2. How do you specify the domain example.local in an LDAP query? (Select one.)
a. ou=example,dc=local
b. dc=example,ou=local
c. dc=example,dc=local
d. ou=example,ou=local
e. ou="example.local"
3. Which of these authentication factors is the least secure for MFA? (Select one.)
a. Hardware token
b. Software token
c. QR code
d. Push notification
e. SMS
4. You must install the AuthPoint Gateway on an existing RADIUS or LDAP server.
a. True
b. False

5. On the AuthPoint Users page, what does the yellow dot next to a user name indicate? (Select one.)
a. The user account is locked.
b. The user account is blocked.
c. The user account is quarantined.
d. The user forgot their token.
e. The user account is not yet activated.

6. The AuthPoint Gateway functions as both __________ and __________? (Select two.)
a. an LDAP client
b. an LDAP server
c. a RADIUS client
d. a RADIUS server

7. Where do you configure the query AuthPoint uses to synchronize users from an LDAP server? (Select one.)
a. Management > Resources
b. Management > External Identities
c. Management > Gateway
d. General > Download
e. General > Settings

Multi-Factor Authentication Essentials Study Guide 55


8. AuthPoint only imports LDAP users that have an email address.
a. True
b. False
9. Where do you specify the allowed authentication methods for a resource? (Select one.)
a. In the resource configuration
b. In the access policy configuration
c. In the user configuration
d. In the Logon app configuration
e. In the IdP portal resource
10. What is the AuthPoint metadata used for? (Select one.)
a. To configure SAML authentication with a third-party service provider
b. To configure the Logon app for user authentication on a Windows computer
c. To configure token security for the AuthPoint Mobile App
d. To configure a VPN client to use AuthPoint for MFA

56 WatchGuard Technologies, Inc.


Answers
Note: Many exam questions test knowledge in more than one area.

1. a, c
2. c
3. e
4. b (False)
5. c
6. a, d
7. b
8. a (True)
9. b
10. a

Multi-Factor Authentication Essentials Study Guide 57


Network Security Essentials Study Guide 58

You might also like