Skip to main contentSkip to search
Skip to main content

WatchGuard Configuration

WatchGuard WiFi Cloud, WatchGuard Cloud-managed WiFi 6 access points, and Firebox wireless authenticate WiFi clients against IronWiFi cloud RADIUS using WPA2-Enterprise (802.1X), with an optional external captive portal (External Splash Page) for guest networks. RADIUS and splash page settings are applied per SSID profile in WatchGuard WiFi Cloud or WatchGuard Cloud.

Supported Platforms

  • WatchGuard WiFi Cloud - Cloud-managed access points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)
  • WatchGuard WiFi 6 in WatchGuard Cloud - AP130, AP230W, AP330, AP430CR, AP432
  • WatchGuard Firebox - With wireless capabilities
  • WatchGuard AP - Standalone access points

Prerequisites

In IronWiFi Console (complete these first):

  1. Log in to IronWiFi Management Console
  2. Navigate to Networks
  3. Click Create Network or select existing
  4. Note RADIUS details:
    • RADIUS Server IP
    • Authentication Port: Customer Authentication Port
    • Accounting Port: Customer Accounting Port
    • Shared Secret
  5. Navigate to Captive Portals
  6. Click Create Captive Portal
  7. Configure:
    • Network: Select your network
    • Vendor: WatchGuard or Generic
  8. Note the Splash Page URL
  9. Copy the Walled Garden domains

In WatchGuard:

  • WatchGuard WiFi Cloud or WatchGuard Cloud account
  • Compatible WatchGuard access points or Firebox device
  • Administrative access to management portal
  • Network connectivity to IronWiFi RADIUS servers

WiFi Cloud Configuration

Access WiFi Cloud

  1. Log in to WatchGuard WiFi Cloud portal
  2. Navigate to your organization and site
  3. Select Configure > WiFi

Configure RADIUS Settings

  1. Go to Configure > WiFi > RADIUS

  2. Click Add RADIUS Server

  3. Configure Authentication Server:

    • Name: IronWiFi-Auth
    • IP Address: Your IronWiFi RADIUS IP
    • Port: Customer Authentication Port
    • Shared Secret: Your RADIUS secret
    • Confirm Secret: Re-enter secret

  4. Configure Accounting Server:

    • Name: IronWiFi-Acct
    • IP Address: Same as authentication
    • Port: Customer Accounting Port
    • Shared Secret: Same secret

  5. Click Save

Create SSID with External Captive Portal

  1. Go to Configure > WiFi > SSIDs

  2. Click Add SSID

  3. Configure Basic Settings:

    • SSID Name: Guest WiFi
    • Security Mode: Open
    • VLAN: Configure as needed

  4. Configure Captive Portal:

    • Splash Page Type: Third-Party Hosted with RADIUS
    • Portal URL: Your IronWiFi Splash Page URL
    • Portal Shared Secret: Portal secret from IronWiFi
    • RADIUS Server: IronWiFi-Auth
    • Accounting Server: IronWiFi-Acct
    • Accounting Interval: 5 minutes

  5. Configure Redirect Settings:

    • Success Redirect: Original URL or custom page
    • Session Timeout: As configured in IronWiFi

  6. Click Save

Configure Walled Garden

  1. In SSID settings, find Walled Garden section
  2. Add IronWiFi domains:

Required for IronWiFi:

Authentication Provider Domains:

If using social login providers, add the following domains to your walled garden:

ProviderRequired Entries
Google
*.google.com
, 
*.googleapis.com
, 
*.gstatic.com
, 
accounts.google.com
Facebook
*.facebook.com
, 
*.fbcdn.net
, 
connect.facebook.net
, 
facebook.com
Twitter
*.twitter.com
, 
*.twimg.com
, 
twitter.com
LinkedIn
*.linkedin.com
, 
*.licdn.com
Microsoft
*.microsoft.com
, 
*.microsoftonline.com
, 
*.live.com
, 
login.live.com
  1. Click Save

Create WPA2-Enterprise SSID

  1. Go to Configure > WiFi > SSIDs

  2. Click Add SSID

  3. Configure:

    • SSID Name: Secure WiFi
    • Security Mode: WPA2-Enterprise
    • RADIUS Server: IronWiFi-Auth
    • Accounting Server: IronWiFi-Acct

  4. Click Save

WatchGuard Cloud (WiFi 6) Configuration

For WiFi 6 access points managed through WatchGuard Cloud:

Configure Authentication

  1. Log in to WatchGuard Cloud
  2. Navigate to Configure > Devices > Access Points
  3. Select your site
  4. Go to Authentication > RADIUS Servers

Add RADIUS Server

  1. Click Add

  2. Configure:

    • Name: IronWiFi
    • Server Address: IronWiFi RADIUS IP
    • Authentication Port: Customer Authentication Port
    • Accounting Port: Customer Accounting Port
    • Shared Secret: Your secret

  3. Click Save

Configure SSID

  1. Go to SSIDs
  2. Create or edit SSID
  3. Configure security and captive portal as needed
  4. Assign RADIUS server

Firebox Wireless Configuration

Access Firebox

  1. Log in to Firebox System Manager or Web UI
  2. Navigate to wireless settings

Configure RADIUS

  1. Go to Setup > Authentication > Servers
  2. Click Add
  3. Configure:
    • Server Type: RADIUS
    • Name: IronWiFi
    • IP Address: IronWiFi RADIUS IP
    • Auth Port: Customer Authentication Port
    • Acct Port: Customer Accounting Port
    • Shared Secret: Your secret

Configure Wireless Guest Network

  1. Go to Network > Wireless
  2. Create or edit wireless network
  3. Configure:
    • SSID: Guest WiFi
    • Security: Open with Captive Portal
    • Authentication Server: IronWiFi

Password Encoding for Captive Portal

WatchGuard uses a specific password encoding process for external captive portals:

  1. Convert the 
    challenge
    parameter from hex to bytes
  2. Generate key using MD5 of the portal shared secret
  3. XOR the password with the repeated key
  4. Convert result to hexadecimal
  5. Append encoded password to login URL

IronWiFi handles this encoding automatically when configured with WatchGuard vendor.

Configuration Summary

RADIUS Settings

SettingValue
Server IPIronWiFi RADIUS IP
Auth Port
{AUTH_PORT}
Acct Port
{ACCT_PORT}
SecretYour shared secret
Timeout5 seconds

Captive Portal Settings

SettingValue
Portal TypeThird-Party Hosted with RADIUS
Portal URLIronWiFi Splash Page URL
Portal SecretFrom IronWiFi Console

Walled Garden

Domain/IP
107.178.250.42
*.ironwifi.com
*.ironwifi.net

Verification

Check AP Status

  1. In WiFi Cloud, go to Monitor > Access Points
  2. Verify APs are online
  3. Check configuration sync status

Check RADIUS Connectivity

  1. Go to Monitor > Events
  2. Filter for authentication events
  3. Look for successful RADIUS responses

Test Guest Portal

  1. Connect device to guest SSID
  2. Open browser - should redirect to splash page
  3. Complete authentication
  4. Verify in IronWiFi Console logs

Troubleshooting

IssuePossible CauseSolution
RADIUS timeoutNetwork connectivity issueVerify AP can reach IronWiFi RADIUS; check firewall rules allow outbound UDP 
{AUTH_PORT}
/
{ACCT_PORT}
; test connectivity from WiFi Cloud diagnostics
Authentication rejectedWrong shared secretVerify shared secret matches exactly (case-sensitive) in both IronWiFi Console and WatchGuard configuration
Portal not redirectingPortal disabled or URL wrongVerify captive portal is enabled on SSID; check portal URL is correct; ensure DNS is working for clients; verify walled garden includes portal domain
Authentication fails after portalPortal secret mismatch or encoding issueCheck portal shared secret matches; verify password encoding is correct; review RADIUS response in logs
Social login not workingMissing provider domainsAdd all social provider domains to walled garden; verify OAuth is configured in IronWiFi
SSL errorCertificate issueInstall valid SSL certificate on AP/controller; add authentication provider domains to walled garden
Encoding errorWrong portal secretVerify portal shared secret matches in both systems

Additional Troubleshooting Steps

  1. Verify RADIUS Configuration

    • Check server IP address is correct
    • Verify shared secret matches exactly (case-sensitive)
    • Ensure ports 
      {AUTH_PORT}
      /
      {ACCT_PORT}
      are correct

  2. Check Network Connectivity

    • Verify AP can reach IronWiFi RADIUS
    • Check firewall rules allow outbound UDP 
      {AUTH_PORT}
      /
      {ACCT_PORT}
    • Test connectivity from WiFi Cloud diagnostics

  3. Review Logs

    • Check WiFi Cloud event logs
    • Review IronWiFi authentication logs
    • Look for timeout or rejection messages

  4. SSL Certificate Issues

    • Install a valid SSL certificate on your AP/controller to avoid authentication issues with HTTPS portals

Best Practices

  1. Use Strong Secrets: Generate complex RADIUS and portal shared secrets
  2. Enable Accounting: Track usage and session data
  3. Configure Timeouts: Set appropriate session and idle timeouts
  4. Monitor Regularly: Check WiFi Cloud dashboard for issues
  5. Firmware Updates: Keep APs updated for security and compatibility
  6. Test Changes: Verify configuration in lab before production
  7. SSL Certificates: Install valid certificates to avoid client warnings

Shared configuration

Was this page helpful?