WatchGuard Configuration
This guide explains how to configure WatchGuard wireless products to work with IronWifi for RADIUS authentication and captive portal.
Supported Platforms
- WatchGuard Wi-Fi Cloud - Cloud-managed access points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)
- WatchGuard Wi-Fi 6 in WatchGuard Cloud - AP130, AP230W, AP330, AP430CR, AP432
- WatchGuard Firebox - With wireless capabilities
- WatchGuard AP - Standalone access points
Prerequisites
In IronWifi Console (complete these first):
- Log in to IronWifi Management Console
- Navigate to Networks
- Click Create Network or select existing
- Note RADIUS details:
- RADIUS Server IP
- Authentication Port: 1812
- Accounting Port: 1813
- Shared Secret
- Navigate to Captive Portals
- Click Create Captive Portal
- Configure:
- Network: Select your network
- Vendor: WatchGuard or Generic
- Note the Splash Page URL
- Copy the Walled Garden domains
In WatchGuard:
- WatchGuard Wi-Fi Cloud or WatchGuard Cloud account
- Compatible WatchGuard access points or Firebox device
- Administrative access to management portal
- Network connectivity to IronWifi RADIUS servers
Wi-Fi Cloud Configuration
Access Wi-Fi Cloud
- Log in to WatchGuard Wi-Fi Cloud portal
- Navigate to your organization and site
- Select Configure > WiFi
Configure RADIUS Settings
-
Go to Configure > WiFi > RADIUS
-
Click Add RADIUS Server
-
Configure Authentication Server:
- Name: IronWifi-Auth
- IP Address: Your IronWifi RADIUS IP
- Port: 1812
- Shared Secret: Your RADIUS secret
- Confirm Secret: Re-enter secret
-
Configure Accounting Server:
- Name: IronWifi-Acct
- IP Address: Same as authentication
- Port: 1813
- Shared Secret: Same secret
-
Click Save
Create SSID with External Captive Portal
-
Go to Configure > WiFi > SSIDs
-
Click Add SSID
-
Configure Basic Settings:
- SSID Name: Guest WiFi
- Security Mode: Open
- VLAN: Configure as needed
-
Configure Captive Portal:
- Splash Page Type: Third-Party Hosted with RADIUS
- Portal URL: Your IronWifi Splash Page URL
- Portal Shared Secret: Portal secret from IronWifi
- RADIUS Server: IronWifi-Auth
- Accounting Server: IronWifi-Acct
- Accounting Interval: 5 minutes
-
Configure Redirect Settings:
- Success Redirect: Original URL or custom page
- Session Timeout: As configured in IronWifi
-
Click Save
Configure Walled Garden
- In SSID settings, find Walled Garden section
- Add IronWifi domains:
Required for IronWifi:
107.178.250.42
*.ironwifi.com
*.ironwifi.net
splash.ironwifi.com
Authentication Provider Domains:
If using social login providers, add the following domains to your walled garden:
| Provider | Required Entries |
|---|---|
*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com | |
*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com | |
*.twitter.com, *.twimg.com, twitter.com | |
*.linkedin.com, *.licdn.com | |
| Microsoft | *.microsoft.com, *.microsoftonline.com, *.live.com, login.live.com |
- Click Save
Create WPA2-Enterprise SSID
-
Go to Configure > WiFi > SSIDs
-
Click Add SSID
-
Configure:
- SSID Name: Secure WiFi
- Security Mode: WPA2-Enterprise
- RADIUS Server: IronWifi-Auth
- Accounting Server: IronWifi-Acct
-
Click Save
WatchGuard Cloud (Wi-Fi 6) Configuration
For Wi-Fi 6 access points managed through WatchGuard Cloud:
Configure Authentication
- Log in to WatchGuard Cloud
- Navigate to Configure > Devices > Access Points
- Select your site
- Go to Authentication > RADIUS Servers
Add RADIUS Server
-
Click Add
-
Configure:
- Name: IronWifi
- Server Address: IronWifi RADIUS IP
- Authentication Port: 1812
- Accounting Port: 1813
- Shared Secret: Your secret
-
Click Save
Configure SSID
- Go to SSIDs
- Create or edit SSID
- Configure security and captive portal as needed
- Assign RADIUS server
Firebox Wireless Configuration
Access Firebox
- Log in to Firebox System Manager or Web UI
- Navigate to wireless settings
Configure RADIUS
- Go to Setup > Authentication > Servers
- Click Add
- Configure:
- Server Type: RADIUS
- Name: IronWifi
- IP Address: IronWifi RADIUS IP
- Auth Port: 1812
- Acct Port: 1813
- Shared Secret: Your secret
Configure Wireless Guest Network
- Go to Network > Wireless
- Create or edit wireless network
- Configure:
- SSID: Guest WiFi
- Security: Open with Captive Portal
- Authentication Server: IronWifi
Password Encoding for Captive Portal
WatchGuard uses a specific password encoding process for external captive portals:
- Convert the
challengeparameter from hex to bytes - Generate key using MD5 of the portal shared secret
- XOR the password with the repeated key
- Convert result to hexadecimal
- Append encoded password to login URL
IronWifi handles this encoding automatically when configured with WatchGuard vendor.
Configuration Summary
RADIUS Settings
| Setting | Value |
|---|---|
| Server IP | IronWifi RADIUS IP |
| Auth Port | 1812 |
| Acct Port | 1813 |
| Secret | Your shared secret |
| Timeout | 5 seconds |
Captive Portal Settings
| Setting | Value |
|---|---|
| Portal Type | Third-Party Hosted with RADIUS |
| Portal URL | IronWifi Splash Page URL |
| Portal Secret | From IronWifi Console |
Walled Garden
| Domain/IP |
|---|
| 107.178.250.42 |
| *.ironwifi.com |
| *.ironwifi.net |
Verification
Check AP Status
- In Wi-Fi Cloud, go to Monitor > Access Points
- Verify APs are online
- Check configuration sync status
Check RADIUS Connectivity
- Go to Monitor > Events
- Filter for authentication events
- Look for successful RADIUS responses
Test Guest Portal
- Connect device to guest SSID
- Open browser - should redirect to splash page
- Complete authentication
- Verify in IronWifi Console logs
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| RADIUS timeout | Network connectivity issue | Verify AP can reach IronWifi RADIUS; check firewall rules allow outbound UDP 1812/1813; test connectivity from Wi-Fi Cloud diagnostics |
| Authentication rejected | Wrong shared secret | Verify shared secret matches exactly (case-sensitive) in both IronWifi Console and WatchGuard configuration |
| Portal not redirecting | Portal disabled or URL wrong | Verify captive portal is enabled on SSID; check portal URL is correct; ensure DNS is working for clients; verify walled garden includes portal domain |
| Authentication fails after portal | Portal secret mismatch or encoding issue | Check portal shared secret matches; verify password encoding is correct; review RADIUS response in logs |
| Social login not working | Missing provider domains | Add all social provider domains to walled garden; verify OAuth is configured in IronWifi |
| SSL error | Certificate issue | Install valid SSL certificate on AP/controller; add authentication provider domains to walled garden |
| Encoding error | Wrong portal secret | Verify portal shared secret matches in both systems |
Additional Troubleshooting Steps
-
Verify RADIUS Configuration
- Check server IP address is correct
- Verify shared secret matches exactly (case-sensitive)
- Ensure ports 1812/1813 are correct
-
Check Network Connectivity
- Verify AP can reach IronWifi RADIUS
- Check firewall rules allow outbound UDP 1812/1813
- Test connectivity from Wi-Fi Cloud diagnostics
-
Review Logs
- Check Wi-Fi Cloud event logs
- Review IronWifi authentication logs
- Look for timeout or rejection messages
-
SSL Certificate Issues
- Install a valid SSL certificate on your AP/controller to avoid authentication issues with HTTPS portals
Best Practices
- Use Strong Secrets: Generate complex RADIUS and portal shared secrets
- Enable Accounting: Track usage and session data
- Configure Timeouts: Set appropriate session and idle timeouts
- Monitor Regularly: Check Wi-Fi Cloud dashboard for issues
- Firmware Updates: Keep APs updated for security and compatibility
- Test Changes: Verify configuration in lab before production
- SSL Certificates: Install valid certificates to avoid client warnings