MFA for WatchGuard
WatchGuard Mobile VPN (SSL, IKEv2, and IPSec) on the Firebox authenticates users against RADIUS, but the appliance itself offers no second factor. A leaked or reused password is enough to bring up a tunnel. Authnull sits in front of the Firebox RADIUS exchange and enforces MFA on Mobile VPN logins and device administration. You add Authnull as a RADIUS server, enable it for Mobile VPN authentication, and a factor is required before the connection completes.
WatchGuard forwards the login; Authnull adds the factor.
The Firebox forwards the login to Authnull over RADIUS; Authnull validates against your directory, challenges for the factor, and returns Access-Accept. Use a longer RADIUS timeout to accommodate push approval.
Configure MFA for WatchGuard
Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 15 minutes.
Add the RADIUS server
In Policy Manager or Fireware Web UI, add Authnull as a RADIUS server with its IP, port, and shared secret.
Enable RADIUS for Mobile VPN
Set the Mobile VPN authentication server to RADIUS so remote logins are validated through Authnull.
Map groups to VPN policy
Configure the RADIUS group names allowed Mobile VPN access so the right users are challenged.
Save and test
Save the configuration and connect with the WatchGuard VPN client using a test account; approve the factor to complete the tunnel.
Closes the MFA gap auditors look for
Enforcing MFA on WatchGuard gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.
Add MFA to WatchGuard — free to start.
Spin up Authnull, point WatchGuard at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.