Configuring remote access to network appliances that are popular among small and medium-sized enterprises (SMEs) often means using a prescribed configuration. IT admins will find that support articles and how-tos about how to configure SonicWall鈥檚 NSv are centered around Active Directory and Windows Server. Multi-factor authentication (MFA) is out of band, requiring a separate system solely for SonicWall. Thankfully, there鈥檚 an alternative available by using 黑料海角91入口鈥檚 smart groups, remote dial-in user service (RADIUS), and integrated time-based one-time password (TOTP) MFA services.
This article is part of a series of how-tos that demonstrate how to use 黑料海角91入口鈥檚 capabilities to achieve added security, with minimal costs. 黑料海角91入口鈥檚 centralized platform provides single sign-on (SSO), delivering identity and access management (IAM) for every service your organization may use. That eliminates managing passwords everywhere, even your firewall.
SonicWall firewalls are widely used by managed service providers (MSPs) to provide affordable and effective perimeter security. The NSv is a next-generation firewall that runs in the cloud, or as a virtualized device in your data center, thereby reducing the costs of buying an appliance. 黑料海角91入口 reduces the management overhead for your IT department.
Here are the prerequisites for this setup:
- 黑料海角91入口鈥檚 RADIUS services
- 黑料海角91入口鈥檚 RADIUS certificate for EAP-TLS client deployments
- 黑料海角91入口鈥檚 MFA services and an authenticator app
- 黑料海角91入口鈥檚 cloud directory groups
The 黑料海角91入口 Configuration
This configuration leverages directory group memberships to grant access to your SonicWall instance. The group that you鈥檒l be creating will be binded to a RADIUS configuration that mandates MFA, using TOTP tokens. Users access the firewall with their 黑料海角91入口 username and password. The only difference is that passwords are amended to include a token every time a user logs into the appliance. Every login is then protected by a unique one-time password.
SonicWall Configuration Overview
SonicWall will require you to have RADIUS server settings (including a few advanced options), import 黑料海角91入口鈥檚 RADIUS certificate, and ensure that remote management is permitted.You鈥檒l be able to decide which permissions group members will inherit on the firewall by default.
Let鈥檚 start by setting up a RADIUS profile for your SonicWall device.
Setting Up 黑料海角91入口 RADIUS, MFA
Every 黑料海角91入口 account includes RADIUS services, which are using the following steps.
To configure RADIUS, MFA for a new server:
- Log in to the .
- Go to User Authentication > RADIUS.
- Click ( + ). The new RADIUS server panel appears.
- Configure the RADIUS server:
- Enter a name for the server. This value is arbitrary.
- Enter a public IP address from which your organization’s traffic will originate.
- You must use the external IP for SonicWall.
- Provide a shared secret. This value is shared with the device or service endpoint you’re pairing with the RADIUS server.
- Configure TOTP multi-factor authentication for the RADIUS server:
- 鈥婽oggle the TOTP MFA Enforcement for this RADIUS server option to 鈥淥n鈥 to enable MFA for this server. This option is 鈥淥ff鈥 by default.
- Select 鈥淐hallenge active TOTP users鈥 to require all 黑料海角91入口 users with MFA active for their account to provide a TOTP code when they connect to this server.
- Select 鈥淐hallenge all users,鈥 unless they are in an active enrollment period, to require all 黑料海角91入口 users that aren鈥檛 in an MFA enrollment period to provide a TOTP code when they connect to this server.
- Select 鈥淐hallenge all users, including during an enrollment period鈥 to require all 黑料海角91入口 users, even those in MFA enrollment periods, to provide a TOTP code when they connect to this server.
- To grant access to the RADIUS server, click the User Groups tab, then select the appropriate groups of users you want to connect to the server.
This is where you will enforce MFA access. Make certain that it鈥檚 switched 鈥淥n鈥 in this dialog. You have several options to work around new user enrollment periods.
This Getting Started article details how to manage users and groups within 黑料海角91入口. The RADIUS configuration will be bound to a dedicated group that you鈥檙e creating for this configuration.
Configuring SonicWall
You鈥檒l use the information contained in 黑料海角91入口鈥檚 RADIUS interface to create a new RADIUS server entry on your firewall. Navigate to Device / Settings / Users /Settings. You鈥檒l notice a button to 鈥淐onfigure RADIUS,鈥 which is where you鈥檒l set up your 黑料海角91入口 RADIUS server.
You have several options for 黑料海角91入口 , but they will always communicate exclusively over port 1812. Port 1813 鈥渁ccounting鈥 is not a part of this configuration. Your shared secret is entered here; be certain that you keep it private and confidential.
Select 鈥淯se vendor-specific attributes on RADIUS server鈥 on the 鈥淩ADIUS Users鈥 tab after you鈥檝e saved your configuration. That will ensure that your group membership is processed.
Important: 鈥淩ADIUS Users鈥 is where you鈥檒l specify the appropriate user role on the firewall.
The 鈥淭est鈥 tab will verify whether your configuration is working. Test 鈥淧assword authentication鈥 only: The EAP/TLS password challenge configuration that we鈥檙e going for won鈥檛 work with CHAP. Use the username (UID), but use the email that鈥檚 associated with your 黑料海角91入口 account.
A TOTP token from 黑料海角91入口 MFA, which you can add as an account in an authentication app, is the 鈥渞esponse鈥 to the challenge that will validate your users after you complete the next few steps.
Note that SonicWall doesn鈥檛 specify EAP/TLS anywhere in its RADIUS setup.
EAP/TLS Setup
EAP/TLS will not work until you take the additional step of importing a RADIUS certificate from 黑料海角91入口. It鈥檚 available as a .crt file, and SonicWall will import it. You鈥檒l then be prompted to restart your virtual appliance to install the certificate.
Now, expand 鈥淪ystem,鈥 find 鈥淐ertificates,鈥 and filter by 鈥渋mported certificates and requests.鈥 You can verify that the installation was successful here.
You may also create a local group for RADIUS users, but users will automatically be provisioned within default groups based upon their assigned roles. A local user will be created for all RADIUS users during setup.
Allow Remote Management
You won鈥檛 be able to log in as a remote RADIUS user until specifying the option to permit remote management under Device / Administration / Management. Otherwise, you鈥檒l receive an 鈥渦nknown鈥 error message on login. This is only applicable if you鈥檙e not using a VPN or you鈥檙e on the same network. Please see the additional security steps outlined below for more information.
You鈥檙e now finished and should be able to log in using your RADIUS credentials. Your firewall鈥檚 access control is now centralized from the 黑料海角91入口 platform.
Use your 黑料海角91入口 password in this syntax: PASSWORD,TOTP
Recommended Security Steps
EAP/TLS transmits passwords in cleartext. Adding MFA to the authentication process increases security, but we strongly recommend the following steps:
- Connect through a VPN using a secure tunnel (SSL or IPSEC).
- Consider isolating this traffic through its own VLAN and segment your network away from end-user traffic.
- Use the strong shared secret that 黑料海角91入口 generates for RADIUS and treat it as you would any password.
- 黑料海角91入口 Conditional Access can further secure your MFA setup by restricting access to specific geographic regions.
Try 黑料海角91入口
The 黑料海角91入口 platform connects you to more things and is free to try for 30 days.
