AD ldap and Watchguard radius to AD authentication servers with sslvpn
I have sslvpn access running with authentication working up against our Microsoft AD. The authentication server is configured as Active Directory and is the primary (default) authentication server on the sslvpn client configuration.
I have added a radius authentication server to use for AuthPoint which authenticate up against the AuthPoint gateway towards our MS AD. This is also working as expected.
Then i have a AD security group (test-group) where a test user is assigned. This group is synced up against Authpoint portal and the test user has a activated MFA token.
The same group is added to the firewall users and groups and assigned the above MFA radius authentication server. This is also working as expected.
If i enabled the MFA radius authentication server on the sslvpn configuration (non default) and enabled the test-group, then if i login with the MFA test user, i do not succeed.
It looks as fireware authenticate the user using the wrong authentication server which is the one configured as Active Directory and not the one using the radius for Authpoint gateway.
sessiond Session not found: type=3, userIp=22.214.171.124, userMac=, userId=, authDomain=, vpnVirtAddr=0.0.0.0
sessiond Session not found: type=3, userIp=126.96.36.199, userMac=, userId=(null), authDomain=Firebox-DB, vpnVirtAddr=0.0.0.0
wgcgi device_session_find, userId=(null), auth domain=Firebox-DB
wgcgi generate_sslvpn_cookie: username:test-user, len(password):12, domain:domain.local
wgcgi sslvpn_auth_domain_get, username:test-user, domain:domain.local
wgcgi SSL VPN user [email protected] from 188.8.131.52 was rejected - generic error
admd Authentication failed, SSLVPN session, but user [email protected] isn't in the authorized SSLVPN group/user list! (domain.local = active directory auth server)
admd Authentication of SSLVPN user [[email protected]] from 184.108.40.206 was rejected, Internal error: failed to parse searching result
My MFA radius authentication server in fireware is called domain.mfa so i would expect the admd process to shows authentication with @domain.mfa
Is it not possible to have both AD and radius authentication at the same time with sslvpn?
The test-user is only member of 1 group, the test group, which is synced to AuthPoint.