AuthPoint, Active directory, SSO and authentication on port 4100

Hi,

Fireware 12.7.2

We have enabled AuthPoint on all our devices and it´s working. I am using the Authpoint integration where all communication is using https and not radius.

We are also using SSO on all our devices which is also working as expected.

On many of our remote devices we are also using authentication on the firebox port 4100 which is also working with AuthPoint as expected.

Here is my issue. For SSO to active directory to work, i have to have AD authentication server enabled and connfigured or else i get this error:

admd SSO: domain XXX doesn't exist on the appliance, ignore this SSO event/log.

But as long as i have a AD authentication server enabled, i am also able to authenticate on port 4100 without authPoint being invoked. Of cause i can remove the AD groups from the firewall, but this will give me other issues with my policies.

I do not think SSO works with radius to AD when i am using the windows SSO agent.

With the sslvpn configuration it´s easy to confugure which auth servers is enabled, but this is not a option with port 4100 authentication.

And recommendations or hints how i go around this issue?

/Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @rv@kaufmann.dk

    There isn't currently a way to specify what auth groups show up on the 4100 auth page. There is an open feature request to allow that in the future, and it's FBX-4152.

    If you're looking for a way to restrict remote users to only being able to come in via AuthPoint, I'd suggest having them use one of the Mobile VPN options. The VPNs allow you to specify allowed authentication servers.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.