This guide describes how to configure your On-Prem NetWall firewall to work with the Passwordless VPN SASE service in two ways:

• The script way - by uploading a script file to the NetWall instance in question (User changes/input is required for certain values in the script)

• The WebUI way - by applying configurations via Netwall’s WebUI

The guide uses our example company ShieldIT as <company_name> through the different steps

The guide assumes you have already activated the Passwordless RADIUS Authentication Add-on service under InCenter, and you have obtained / copied the credentials/access information (See related articles below for activating Passwordless RADIUS Authentication Add-on service under InCenter)

The guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)

Setup your On-Prem NetWall firewall

The NetWall firewall configurations provided within the following instructions (Script way and WebUI way) enables your firewall to relay the RADIUS authentication traffic initiated by OnConnect tunnel (OneConnect clients) towards the SASE service via an IPsec tunnel. The IPsec tunnel and all it’s related routing configurations utilizes the Virtual routing capabilities in NetWall to isolate routing configurations from current Firewall setup to avoid any potential routing conflicts.

The script way

1- Download following script file:

sase_passwordlessvpn_netwall_configs.sgs

2- Edit above downloaded script file with your favorite text editor

3- Change following values to the values provided to you by Clavister - values that require change are put as <change me> :

• FQDNAddress sase_radius_ep Address=<change me>
  This value corresponds to Service FQDN value obtained from InCenter
  

• IP4Address sase_radius_ip Address=<change me>
  This value corresponds to IP address value obtained from InCenter
  
• PSKHex=<change me>
  This value corresponds to IPsec Pre-Shared Key value obtained from InCenter

• SharedSecret=<change me>
  
• This value corresponds to RADIUS Pre-Shared Key value obtained from InCenter

Example:

• FQDNAddress sase_radius_ep Address=radius.sase.eu
  
• IP4Address sase_radius_ip Address=10.223.11.12
  
• PSKHex=3ccb660224092b7042ebc49bb4d3a91480e9f950a05420bf154f1b124345f0044739a9d018f93234f7e1b527a556347deb64ae6f1f2470a9cdab15c84577044a
• SharedSecret=4c80797631c3c0bc79d21b79a63572c49296ca334d10b77b45f5f8790c8a9974e110e0d06545133e3702d20303595702f53d576b1b6735bfead64dc59d213c17

4- Change following value to a NetWall IPv4 address object that corresponds to a local user network address behind the firewall (e.g. LAN Network)

• LocalNetwork=<change me>

Example:

• LocalNetwork=InterfaceAddresses/LAN1_net

5- Save file changes

6- login to the NGFW admin interface.

7- Navigate to Status → Maintenance → Import Script

Click on Browse… then select and upload the Script file edited and saved in previous step.

You should get following message:

Success! Execution completed successfully. You can now review and activate your new configuration.

8- Navigate to Network → OneConnect object, and edit it

9- Under CLIENT AUTHENTICATION , select the following settings:

- Authentication Source: RADIUS 
- RADIUS Server: <the created RADIUS IP4 Address object >

10- Save and Activate NetWall configuration changes

Done.

The webui way

On the Clavister NetWall NGFW you can now setup OneConnect server with MFA authentication.

*

First, login the NGFW admin interface. 

– Service virtual routing related setting:

1- create “Routing table” object that IPsec tunnel and Radius firewall objects further down will be part of

– Service IPsec tunnel related settings:

2- create “FQDN address” for the SASE RADIUS EndPoint

Address: <paste the Service FQDN value obtained from InCenter>

3- create “Pre-Shared Key” for the IPsec tunnel to connect to SASE RADIUS EndPoint
Type: Hex
Passphrase: <paste the IPsec Pre-Shared Keyvalue obtained from InCenter>

4- create “IP4 Address” object for the RADIUS IP to be used next as “Remote Network” object of the Tunnel 
Address: <paste the IP addressvalue obtained from InCenter>

5- create “IPsec tunnel” object with following settings:Navigate to Netwrok → IPsecAdd a IPsec Tunnel 

Configure the tunnel settings as following:

General:

- IKE Version: IKEv2

- Local Network: <any local network of your choice> 
- Remote Network: <the created RADIUS IP4 Address object > 
- Remote Endpoint: <the created FQDN address object>

Authentication:

- Authentication Method: Pre-shared key

IKE (Phase-1):

- Diffie-Hellman Group: 14 (2048-bit) 
- Algorithms: High 
- Lifetime: 28800 
- Auto Establish: checked

IKE (Phase-2):

- Diffie-Hellman Group: 14 (2048-bit) 
- Algorithms: High 
- Lifetime: 3600

Virtual routing:

choose: “Make interface a member of a specific routing table” and select the routing table object created above

Advanced:

Add Route Statically: checked

– User authentication related settings:

6-Navigate to Policies → USER DIRECTORIES

create “RADIUS”  object with following settings: 

- IP Address: <the created RADIUS IP4 Address object > 
- Port: 1812 
- Source IP Selection: Automatic 
- Retry Timeout: 20 
- Shared Secret: <paste the RADIUS Pre-Shared Key value obtained from InCenter>
- Routing table: <select the routing table object created above>

7- Navigate to Network → OneConnect object, and edit it

8- Under CLIENT AUTHENTICATION , choose following settings:

- Authentication Source: RADIUS 
- RADIUS Server: <the created RADIUS IP4 Address object >

9- Save and Activate NetWall configuration changes

Configure the OneConnect Client

Consider checking the linked articles on configuring and troubleshooting OnConnect Client

Related articles