M200 with Duo Security 2FA

M200 with 12.5.2, NPS Win Server 2016.

Trying to seet up 2FA with Duo Security, following instructions at https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/duo-security-authentication.html
and https://duo.com/docs/radius

All almost to be working: NPS RADIUS event viewer server shows access granted, Duo mobile push is showing up on mobile. As soon as I tap allow on Duo, I get disconnected.

Here's what it looks like:

admd Authentication of L2TPVPN user [[email protected]] from myIP was accepted msg_id="1100-0004"
l2tp [:00834,sess_change_event_handler]: (l2tp) l2tp-sess: failed to find node with virtual IP:0.0.0.0

If I remove the Duo Auth Proxy, it works:

sessiond L2TP VPN user [email protected] from myIP logged in assigned virtual IP is 10.0.4.2 msg_id="3E00-0002"

filter-id is L2TP-Users, account is not in a nested group, duo auth proxy is set to pass all radius parameter.
It seems that when using Duo, it can't assign virtual IP then it disconnects.
Is the M200 compatible with Duo 2FA?

Comments

  • Duo 2FA works for the :4100 login page, the SSLVPN login page, and for SSLVPN. It does NOT work for IKEv2 VPN. I have not tested it with L2TP, but it may be related to the issues with IKEv2 VPN.

    Gregg Hill

  • I'm not using Ikev2, what's the issue with it?
    Will have to test the sslvpn tonight when there are no users. I'll submit a case if the sslvpn doesn't work.

  • For IKEv2 VPN, the Duo agent does not return the proper information to work. See https://community.duo.com/t/is-duo-compatible-with-watchguard-ikev2-vpn-using-mschapv2/6454

    Duo was working on it and released a new agent recently, but I have not had time to test.

    If L2TP also uses MSCHAPv2, then it could be related.

    Gregg Hill

  • Thanks for the direction to use ss lvpn, Greg. I got the ssl vpn to work with Duo.
    Currently using the latest duo auth proxy, it doesn't work with mschapv2, which is the l2tp in the M200 is using for authentication to the nps radius.

    Would be nice if it works, because I use the l2tp for sysadmins, the regular users go the ssl vpn.

    Thank you.

  • AuthPoint works for both SSLVPN and IKv2 VPN.

    Gregg Hill

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Goose

    The issue is the authentication protocol each VPN type uses. The firewall just passes it along when a external authentication server is in use. Duo specifically doesn't support some iterations of MSCHAP.

    If you'd like to use MFA that does support MSCHAPv2, which is what the built in windows client uses for some of the VPNs, our MFA suite (AuthPoint) does do this. If you'd like to use Duo, I'd suggest making a feature request with them to support that.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    Hi @Goose

    The issue is the authentication protocol each VPN type uses. The firewall just passes it along when a external authentication server is in use. Duo specifically doesn't support some iterations of MSCHAP.

    If you'd like to use MFA that does support MSCHAPv2, which is what the built in windows client uses for some of the VPNs, our MFA suite (AuthPoint) does do this. If you'd like to use Duo, I'd suggest making a feature request with them to support that.

    James,

    Duo already is working on getting their 2FA to work with WatchGuard's MSCHAPv2. I have an open support case with them on it.

    Yes, AuthPoint works flawlessly with both SSLVPN and IKEv2 VPN. Possibly L2TP???

    Gregg Hill

Sign In to comment.