WatchGuard Support Center

Knowledge Base - Article

 Configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory

How do I configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory?

Use these steps to configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS authentication. Network Policy Server (NPS) is the Microsoft implementation of RADIUS. This article applies to all mobile VPN methods on the Firebox.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.


  • Install and enable Network Policy Server (NPS), which is part of Network Policy and Access Services, on Windows Server 2016 or 2012 R2.
  • Disable Windows Firewall, or configure it to allow RADIUS traffic on port 1812.
  • Create a Security Group in Active Directory for your mobile users. The default mobile VPN user groups on the Firebox are IKEv2-Users, L2TP-Users, and SSLVPN-Users. If you use these default groups, create groups with the same names in Active Directory. Mobile VPN with IPSec does not have a default user group on the Firebox. 

Register the NPS Server 

For NPS to access Active Directory user account credentials, you must register the NPS server in Active Directory.

  1. On the server running NPS, launch Server Manager.
    The Server Manager window appears.
  2. Select Tools > Network Policy Server.
    The Network Policy Server window appears.
  3. Right-click NPS (Local) and select Register server in Active Directory.
    The Network Policy Server dialog box appears.
  4. Click OK. The server is now registered in Active Directory.

Add the Firebox as a RADIUS Client

Next, you must add the Firebox as a RADIUS client in the Network Policy Server settings.

  1. Expand RADIUS Clients and Servers.
  2. Right-click RADIUS Clients and select New.
    The New RADIUS Client dialog box appears.
  3. In the Friendly name text box, type a name to identify your Firebox. This does not have to match the system name or hostname.
  4. In the Address text box, type the IP address or resolvable domain name of your Firebox.
  5. In the Shared Secret section, do one of the following:
    • Select Manual. Type a shared secret in the Shared secret text box. Type the secret again in the Confirm shared secret text box.
    • Select Generate. To automatically generate a strong shared secret, click the Generate button. Copy the shared secret that appears to your Firebox.
    Screen shot of the New RADIUS Client dialog box
  6. Click OK.
  7. To verify that your Firebox is listed as a RADIUS client, in RADIUS Clients and Servers, select RADIUS Clients.
    The name and IP address of your Firebox appears in the RADIUS Clients list.
    Screen shot of the list of RADIUS clients

Configure a Network Policy

Next, in the network policy, you configure one or more conditions. Conditions determine whether NPS authorizes connection requests from users. If you configure multiple conditions, all conditions must be true for NPS to enforce the policy. If you have more than one network policy, the order of policies in the list does not affect enforcement. 
  1. Expand Policies and right-click Network Policies.
  2. Select New.
    The New Network Policy wizard appears.
  3. In the Policy Name text box, type a descriptive name for the policy. In our example, we name the policy VPN Policy.
  4. Keep all default settings and click Next
  5. On the Specify Conditions page, click Add.
  6. Select a condition to restrict connections. In our example, we select User Groups. You can specify other conditions as well. 
  7. Click Add > Add Groups.
  8. In the Enter the object name to select text box, type the group name. In our example, we specify IKEv2-Users. You can specify more than one group. 
  9. Click Check Names.
  10. Click OK, and then click OK again.
    The user group you specified appears in the Conditions list.
  11. To add more groups, click Add and repeat Steps 5─10.
  12. Click Next.
  13. Keep the default value, which is Access granted.
  14. Click Next.
    The Configure Authentication Methods dialog box appears.
  15. For Mobile VPN with IKEv2 or Mobile VPN with L2TP, keep MS-CHAP-v2 selected. MS-CHAP-v2 is required for these VPN types.
  16. For Mobile VPN with SSL or Mobile VPN with IPSec, select Unencrypted Authentication (PAP, SPAP). PAP/SPAP is required for these mobile VPN types.
  17. (Optional) For all mobile VPN types, clear the check box for MS-CHAP. The Firebox does not require or use MS-CHAP for mobile VPN connections. 
  18. Clear the User can change password after it has expired check boxes. We do not support this option.
  19. Click Next.
    The Configure Constraints dialog box appears.
  20. Keep the default values on the Configure Constraints dialog box.
  21. Click Next.
    The Configure Settings dialog box appears.
  22. Click Add.
    The Add Standard RADIUS Attribute dialog box appears.
  23. Select Filter-Id.
  24. Click Add, and then click Add again.
  25. Type the user group name you specified earlier. In our example, we type IKEv2-Users. The NPS server sends this list of filter IDs to the Firebox.
  26. Click OK.
  27. To add more groups as filter IDs, click Add and repeat Steps 2425.
  28. Click Close.
  29. Click Next.
    Completed Network Policy wizard
  30. Click Finish.

Allow Server Access

In Network Policy Server, complete these steps.

  1. Expand Policies and select Network Policies.
  2. Right-click Connections to other access servers and click Properties.
    The Connections to other access servers dialog box appears.
  3. Select Grant access. Click OK.
    Screen shot of Connections to other access servers policy

Configure Your Firebox

After you set up NPS, configure your Firebox. You must use the shared key that you specified in the NPS configuration. To set up your Firebox, see Configure RADIUS Server Authentication in Fireware Help.

See Also

About Mobile VPN with IKEv2 User Authentication in Fireware Help
About L2TP User Authentication in Fireware Help
Use Multi-Factor Authentication with Mobile VPNs in Fireware Help
Firebox Mobile VPN with IKEv2 Integration with AuthPoint in Fireware Help
Firebox Mobile VPN with SSL Integration with AuthPoint in Fireware Help
Firebox Mobile VPN with IPSec Integration with AuthPoint in Fireware Help