Filter-ID Authpoint or AD

rv@kaufmann.dkrv@kaufmann.dk
edited December 2021 in AuthPoint - General

Hi,

I have setup AuthPoint for IKEv2 using AD ldap authentication. I follewed this guide for version 12.7 or higher:

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ikev2-vpn-radius_authpoint.html

I could not get it working as authpoint was complaining about user not in correct group, which the user is.

__admd Authentication failed: user username@domain isn't in the IKEv2 authorized group/user list! __

I had to change AuthPoint client Value sent for RADIUS attribute 11 (Filter-Id) to User's Active Directory groups and on the NPS network policy add the users group member ship with filter-ID 11.

After this login with AuthPoint works as expected. Am i reading the wrong guide or is this part missing somewhere?

Regards
Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rv@kaufmann.dk
    If you're using NPS to integrate with AD, we get the group info via attribute 11 (FilterID) in the RADIUS access-accept. If NPS wasn't providing this before, the firewall will assume no group.

    -James Carson
    WatchGuard Customer Support

  • rv@kaufmann.dkrv@kaufmann.dk
    > @james.carson said:
    > Hi @rv@kaufmann.dk
    > If you're using NPS to integrate with AD, we get the group info via attribute 11 (FilterID) in the RADIUS access-accept. If NPS wasn't providing this before, the firewall will assume no group.

    @james.carson
    Thanks. But is that part not Missing from the guide i have linked to?
    This guide is for that usage, NPS.

    /Robert
Sign In to comment.