How to - Configure your On-Prem firewall to work with the Passwordless VPN SASE service

Last modified on 19 Apr, 2022. Revision 34


This guide is on how to configure your On-Prem NetWall firewall to work with the Passwordless VPN SASE service in two ways:

The guide uses our example company ShieldIT as <company_name> through the different steps

The guide assumes you are already provided with access information to the service by Clavister.

The guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)


Setup your On-Prem NetWall firewall

The NetWall firewall configurations provided within the following instructions (Script way and WebUI way) enables your firewall to relay the RADIUS authentication traffic initiated by OnConnect tunnel (OneConnect clients) towards the SASE service via an IPsec tunnel. The IPsec tunnel and all it’s related routing configurations utilizes the Virtual routing capabilities in NetWall to isolate routing configurations from current Firewall setup to avoid any potential routing conflicts.

The script way

1- Download following script file:

sase_passwordlessvpn_netwall_configs.sgs


2- Edit above downloaded script file with your favorite text editor


3- Change following values to the values provided to you by Clavister - values that require change are put as <change me> :

Example:


4- Change following value to a NetWall IPv4 address object that corresponds to a local user network address behind the firewall (e.g. LAN Network)

Example:

Avoid using an address from CIDR range 172.20.1.0/26 for this object


5- Save file changes


6- login to the NGFW admin interface.


7- Navigate to Status → Maintenance → Import Script


Click on Browse… then select and upload the Script file edited and saved in previous step.

You should get following message:

Success! Execution completed successfully. You can now review and activate your new configuration.


8- Navigate to Network → OneConnect object, and edit it

This guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)
https://kb.clavister.com/329098813/how-do-i-set-up-a-oneconnect-vpn-tunnel-in-cos-core



9- Under CLIENT AUTHENTICATION , select the following settings:

- Authentication Source: RADIUS 
- RADIUS Server: <the created RADIUS IP4 Address object >


10- Save and Activate NetWall configuration changes


Done.

The webui way

On the Clavister NetWall NGFW you can now setup OneConnect server with MFA authentication.

The NetWall software requires a password before sending the authentication request to the radius server, this password is however not used / validated in this service setup.  For full passwordless you must install cOS Core version 14.XXX where this field is not mandatory anymore

*

First, login the NGFW admin interface. 




– Service virtual routing related setting:

1- create “Routing table” object that IPsec tunnel and Radius firewall objects further down will be part of



– Service IPsec tunnel related settings:

2- create “FQDN address” for the SASE RADIUS EndPoint

Address: radius.sase.eu


3- create “Pre-Shared Key” for the IPsec tunnel to connect to SASE RADIUS EndPoint
Type: Hex
Passphrase: 3ccb660224092b7042ebc49bb4d3a91480e9f950a05420bf154f1b124345f0044739a9d018f93234f7e1b527a556347deb64ae6f1f2470a9cdab15c84577044a


4- create “IP4 Address” object for the RADIUS IP to be used next as “Remote Network” object of the Tunnel 
Address: 10.10.10.1



5- create “IPsec tunnel” object with following settings:Navigate to Netwrok → IPsecAdd a IPsec Tunnel 


Configure the tunnel settings as following:

General:

- IKE Version: IKEv2

- Local Network: <any local network of your choice> 
- Remote Network: <the created RADIUS IP4 Address object > 
- Remote Endpoint: <the created FQDN address object>


Authentication:

- Authentication Method: Pre-shared key


IKE (Phase-1):

- Diffie-Hellman Group: 14 (2048-bit) 
- Algorithms: High 
- Lifetime: 28800 
- Auto Establish: checked


IKE (Phase-2):

- Diffie-Hellman Group: 14 (2048-bit) 
- Algorithms: High 
- Lifetime: 3600


Virtual routing:

choose: “Make interface a member of a specific routing table” and select the routing table object created above


Advanced:

Add Route Statically: checked


– User authentication related settings:

6-Navigate to Policies → USER DIRECTORIES


create “RADIUS”  object with following settings: 

- IP Address: <the created RADIUS IP4 Address object > 
- Port: 1812 
- Source IP Selection: Automatic 
- Retry Timeout: 20 
- Shared Secret: secret
-
Routing table: <select the routing table object created above>


7- Navigate to Network → OneConnect object, and edit it

This guide assumes you already have working OneConnect tunnel configurations (See related articles below for setting up OneConnect interfaces in NetWall)
https://kb.clavister.com/329098813/how-do-i-set-up-a-oneconnect-vpn-tunnel-in-cos-core



8- Under CLIENT AUTHENTICATION , choose following settings:

- Authentication Source: RADIUS 
- RADIUS Server: <the created RADIUS IP4 Address object >

To setup TLS certificates in cOS Core (this is for SSL VPN connections from OneConnect client to work), visit below link for more information: https://kb.clavister.com/346360399/configuring-public-certificates-in-netwall


9- Save and Activate NetWall configuration changes


Configure the OneConnect Client

1- Under OneConnect client, click on “VPN Configurations”


2- Enter following required settings:

- SERVER: <The public IP address of your NetWall firewall where the OneConnect server is configured under>
- CREDENTIALS: <The username of user that is added under the SASE service>

A password must be entered here, but is not validated. TO remove this you must upgrade to cOS Core 14.XXXX that removes checking if there is a password in the Radius request to be send to the SASE MFA server. 
Consider visiting following article on how to add local users to the SASE service https://kb.clavister.com/346362975/how-to---manage-local-users-for-the-sase-service


3- click on “Connect”


Done.


Troubleshooting


Check tunnel status by navigating to : Status → IPsec


Check log – System Logs

If entering wrong user-name the response is a long timeout


Search for OneConnect in the logs – the logs will appear After the timeout happens.


Second time with same wrong username timeout happens quickly.

 

Second time with same wrong username the radius server does send response: bad_user_credentials


Changing username again results in long timeout. 

Aborting the long timeout results in a oneconnect_handshake_failed

Request get out of sync and delayed challenges in the OneTouch app also get a timeout .


Related articles

Configure Clavister OneConnect using deep links
23 Nov, 2021 oneconnect macos ios windows
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
Configuring public certificates in NetWall firewalls
5 Apr, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
1 Dec, 2021 oneconnect sslvpn
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Configure the OpenConnect-GUI client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core