How to - Configure your On-Prem firewall to work with the Passwordless VPN SASE service

Last modified on 19 Jan, 2023. Revision 40
Up to date for
Clavister Cloud Services
Status OK
Author
Firas Aladhami / Thomas Vasen


This guide describes how to configure your On-Prem NetWall firewall to work with the Passwordless VPN SASE service in two ways:

The guide uses our example company ShieldIT as <company_name> through the different steps

The guide assumes you have already activated the Passwordless RADIUS Authentication Add-on service under InCenter, and you have obtained / copied the credentials/access information (See related articles below for activating Passwordless RADIUS Authentication Add-on service under InCenter)

The guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)


Setup your On-Prem NetWall firewall

The NetWall firewall configurations provided within the following instructions (Script way and WebUI way) enables your firewall to relay the RADIUS authentication traffic initiated by OnConnect tunnel (OneConnect clients) towards the SASE service via an IPsec tunnel. The IPsec tunnel and all it’s related routing configurations utilizes the Virtual routing capabilities in NetWall to isolate routing configurations from current Firewall setup to avoid any potential routing conflicts.

The script way

1- Download following script file:

sase_passwordlessvpn_netwall_configs.sgs

Make sure you have obtained/copied the credentials/access information from the Passwordless RADIUS Authentication Add-on service tab under InCenter This info is needed for next steps


2- Edit above downloaded script file with your favorite text editor


3- Change following values to the values provided to you by Clavister - values that require change are put as <change me> :

Example:


4- Change following value to a NetWall IPv4 address object that corresponds to a local user network address behind the firewall (e.g. LAN Network)

Example:

Avoid using an address from CIDR range 172.20.1.0/26 for this object


5- Save file changes


6- login to the NGFW admin interface.


7- Navigate to Status → Maintenance → Import Script


Click on Browse… then select and upload the Script file edited and saved in previous step.

You should get following message:

Success! Execution completed successfully. You can now review and activate your new configuration.


8- Navigate to Network → OneConnect object, and edit it

This guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)
https://kb.clavister.com/329098813/how-do-i-set-up-a-oneconnect-vpn-tunnel-in-cos-core



9- Under CLIENT AUTHENTICATION , select the following settings:

- Authentication Source: RADIUS 
- RADIUS Server: <the created RADIUS IP4 Address object >


10- Save and Activate NetWall configuration changes


Done.

The webui way

On the Clavister NetWall NGFW you can now setup OneConnect server with MFA authentication.

The NetWall software requires a password before sending the authentication request to the radius server, this password is however not used / validated in this service setup.  For full passwordless you must install cOS Core version 14.XXX where this field is not mandatory anymore

*

Make sure you have obtained/copied the credentials/access information from the Passwordless RADIUS Authentication Add-on service tab under InCenter This info is needed for next steps

First, login the NGFW admin interface. 




– Service virtual routing related setting:

1- create “Routing table” object that IPsec tunnel and Radius firewall objects further down will be part of



– Service IPsec tunnel related settings:

2- create “FQDN address” for the SASE RADIUS EndPoint

Address: <paste the Service FQDN value obtained from InCenter>


3- create “Pre-Shared Key” for the IPsec tunnel to connect to SASE RADIUS EndPoint
Type: Hex
Passphrase: <paste the IPsec Pre-Shared Keyvalue obtained from InCenter>


4- create “IP4 Address” object for the RADIUS IP to be used next as “Remote Network” object of the Tunnel 
Address: <paste the IP addressvalue obtained from InCenter>



5- create “IPsec tunnel” object with following settings:Navigate to Netwrok → IPsecAdd a IPsec Tunnel 


Configure the tunnel settings as following:

General:

- IKE Version: IKEv2

- Local Network: <any local network of your choice> 
- Remote Network: <the created RADIUS IP4 Address object > 
- Remote Endpoint: <the created FQDN address object>


Authentication:

- Authentication Method: Pre-shared key


IKE (Phase-1):

- Diffie-Hellman Group: 14 (2048-bit) 
- Algorithms: High 
- Lifetime: 28800 
- Auto Establish: checked


IKE (Phase-2):

- Diffie-Hellman Group: 14 (2048-bit) 
- Algorithms: High 
- Lifetime: 3600


Virtual routing:

choose: “Make interface a member of a specific routing table” and select the routing table object created above


Advanced:

Add Route Statically: checked


– User authentication related settings:

6-Navigate to Policies → USER DIRECTORIES


create “RADIUS”  object with following settings: 

- IP Address: <the created RADIUS IP4 Address object > 
- Port: 1812 
- Source IP Selection: Automatic 
- Retry Timeout: 20 
- Shared Secret: <paste the RADIUS Pre-Shared Key value obtained from InCenter>
-
Routing table: <select the routing table object created above>


7- Navigate to Network → OneConnect object, and edit it

This guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)
https://kb.clavister.com/329098813/how-do-i-set-up-a-oneconnect-vpn-tunnel-in-cos-core



8- Under CLIENT AUTHENTICATION , choose following settings:

- Authentication Source: RADIUS 
- RADIUS Server: <the created RADIUS IP4 Address object >

To setup TLS certificates in cOS Core (this is for SSL VPN connections from OneConnect client to work), visit below link for more information: https://kb.clavister.com/346360399/configuring-public-certificates-in-netwall


9- Save and Activate NetWall configuration changes


Configure the OneConnect Client

Consider checking the linked articles on configuring and troubleshooting OnConnect Client

Consider visiting following article on how to add local users to the SASE service https://kb.clavister.com/346362975/how-to---manage-local-users-for-the-sase-service

Related articles

Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
22 Aug, 2022 onetouch sslvpn oneconnect
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Clavister OneConnect server using cOS Core as CA Server
14 Sep, 2022 oneconnect certificate howto
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core