Options

AD ldap and Watchguard radius to AD authentication servers with sslvpn

rv@kaufmann.dkrv@kaufmann.dk
in Firebox - VPN Mobile User

Hi,

I have sslvpn access running with authentication working up against our Microsoft AD. The authentication server is configured as Active Directory and is the primary (default) authentication server on the sslvpn client configuration.

I have added a radius authentication server to use for AuthPoint which authenticate up against the AuthPoint gateway towards our MS AD. This is also working as expected.

Then i have a AD security group (test-group) where a test user is assigned. This group is synced up against Authpoint portal and the test user has a activated MFA token.
The same group is added to the firewall users and groups and assigned the above MFA radius authentication server. This is also working as expected.

If i enabled the MFA radius authentication server on the sslvpn configuration (non default) and enabled the test-group, then if i login with the MFA test user, i do not succeed.

It looks as fireware authenticate the user using the wrong authentication server which is the one configured as Active Directory and not the one using the radius for Authpoint gateway.

sessiond Session not found: type=3, userIp=87.49.44.176, userMac=, userId=, authDomain=, vpnVirtAddr=0.0.0.0
sessiond Session not found: type=3, userIp=87.49.44.176, userMac=, userId=(null), authDomain=Firebox-DB, vpnVirtAddr=0.0.0.0
wgcgi device_session_find, userId=(null), auth domain=Firebox-DB
wgcgi generate_sslvpn_cookie: username:test-user, len(password):12, domain:domain.local
wgcgi sslvpn_auth_domain_get, username:test-user, domain:domain.local
wgcgi SSL VPN user test-user@domain.local from 87.49.44.176 was rejected - generic error

admd Authentication failed, SSLVPN session, but user bredana10@domain.local isn't in the authorized SSLVPN group/user list! (domain.local = active directory auth server)

admd Authentication of SSLVPN user [test-user@domain.local] from 80.62.117.206 was rejected, Internal error: failed to parse searching result

My MFA radius authentication server in fireware is called domain.mfa so i would expect the admd process to shows authentication with @domain.mfa

Is it not possible to have both AD and radius authentication at the same time with sslvpn?

The test-user is only member of 1 group, the test group, which is synced to AuthPoint.

Regards
Robert

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rv@kaufmann.dk

    You'll need to specify the auth server for the non-default auth server. You can do that as so:

    Active Directory — ad1_example.com\j_smith

    Firebox-DB — Firebox-DB\j_smith

    AuthPoint (Fireware v12.7 or higher) — authpoint\jsmith

    RADIUS (Fireware v12.5 or higher) — rad1.example.com\j_smith or RADIUS\j_smith. You must type the domain name specified in the RADIUS settings on Firebox.

    RADIUS (Fireware v12.4.1 or lower) — RADIUS\j_smith. You must always type RADIUS.

    The examples these are from are about in the middle of this article:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html

    So if my AD domain is entered in as james.local and isn't the default SSLVPN auth server, I'd need to type in "james.local\james" as my user.

    Note that "AuthPoint" server is for the authpoint integration -- if you're using AuthPoint via a RADIUS server (the authpoint gateway) you need to choose your RADIUS server.

    -James Carson
    WatchGuard Customer Support

  • Options
    rv@kaufmann.dkrv@kaufmann.dk

    @james.carson

    Ahh, thank you. Of cause, missed that part!

    /Robert

Sign In to comment.