SSLVPN authenticated through LDAP

Trying to get SSLVPN authenticated using LDAP instead of Active Directory. When I configure the LDAP server and then try and test the user is unknown. I am using UID but what happens is that Watchguard adds @LDAP onto the username. So user Test becomes [email protected] Which fails.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @KevCar
    The firewall logs each auth type as @_server _ but doesn't send it to the auth server that way. If you have access to the AD server, double check the authentication logs on the server itself and you should see just the user.

    By default, the firewall is expecting sAMAccountname (just the user name.) If you want to use UID ([email protected]) make sure to change the setting to userPrincipalName. I'd suggest using the default (sAMAccountName) unless you have a specific reason to do so.

    -James Carson
    WatchGuard Customer Support

  • samaccount is not and option for LDAP.
    Trying uid with fqdn also says username does not exist so the log does not on the server does not show it. Only options is uid, mail or cn. All say user does not exist.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @KevCar
    You can see it here under login attribute:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/active_directory_about_c.html
    (you'll need to expand the sections for webui or policy manager.)

    If you try using the test tool in the WebUI under System Status > Server Connection, do you see the same behavior and error?

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/test_server_connection_web.html

    -James Carson
    WatchGuard Customer Support

  • Thats for Active Directory not LDAP. Maybe I should tell you what I am doing. I am having a problem using Duo with Watchguard SSL VPN. Configuring Active Directory as the authentication server works but I get 2 prompts on the Duo Mobile app to let me in. They asked me to try the LDAP and see if the double prompt happens. There is also Radius which I tried last night but could not get working either.
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/ldap_auth_about_c.html

  • Switched to using Radius and now its working without the double prompts

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @KevCar
    Duo acts as a AD/Radius "proxy" meaning it sits between the RADIUS/AD server and whatever is trying to access it.
    If the issue is happening with no additional log output on the firewall, it's likely that Duo is causing that double push itself. (My guess would be that it's timing out waiting for something.)

    I'd suggest looking at the logs there first to see why it's doing that and going from there.

    -James Carson
    WatchGuard Customer Support

  • Yeah, I have been through all of that. Duo says its WatchGuard but I have the same exact setup at 3 locations. 1 works, the other 2 give double prompts. Switching from AD authentication to Radius does solve the problem. Just bugs me one works and the other 2 do not. I didn't want to add an addition piece (NPS) to the puzzle.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kcarpenter

    If you'd like to look into it more deeply, I'd suggest opening a support case.

    If the firewall is sending multiple auth requests, you should see multiple lines saying as such if it's AD. For RADIUS, the firewall will retry up to the amount of retries you have set in the RADIUS configuration.

    -James Carson
    WatchGuard Customer Support

  • I have already been through this with Duo looking at it. If it is the Firewall I don't think Watchguard will do anything since they recommend using Radius. Why it works fine with one of my clients though is a mystery.

This discussion has been closed.