Problems authentication of MS NPS RADIUS and MS MFA FireBox
Hi everyone,
I'm setuping a connection FireBox VPNSSL with authentication via MS NPS RADIUS and MS MFA. When I try to conect using Firebox SSL client it returns the messages bellow:
2022-08-02 08:55:45 admd Authentication of SSLVPN user [robson.ferraz@iteris.local] from 179.191.101.70 was rejected, user isn't in the right group msg_id="1100-0005" Event
2022-08-02 08:55:45 wgcgi SSL VPN user robson.ferraz@iteris.local from 179.191.101.70 was rejected - Unspecified. Debug
My MS NPS server is configured to allow connections only for a specific security group. I configured a security group in "Users and Groups" in FireBox, and when I check the event viewers, all of the logs inform that the connection of the user was accepted and alloed the connection, but FireBox doesn't allow the access.
If I configure a user login in FireBox, without a group, the connection is stablished without problems.
I enabled “Diagnostic Tasks” TCP Dump and I put the Argument “-i eth0 host 172.30.1.6 -vv” and it returned the result bellow:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:28:39.605159 IP (tos 0x0, ttl 64, id 24635, offset 0, flags [DF], proto UDP (17), length 93)
172.22.0.6.51901 > 172.30.1.6.1812: [bad udp cksum 0x599b -> 0x6524!] RADIUS, length: 65
Access-Request (1), id: 0x0e, Authenticator: 69b29144c4df200caf308e7e5be95c33
User-Name Attribute (1), length: 15, Value: robson.ferraz
0x0000: 726f 6273 6f6e 2e66 6572 7261 7a
User-Password Attribute (2), length: 18, Value:
0x0000: 0c0e 6006 6352 a43b 8b3a 01db 3019 a4c6
NAS-IP-Address Attribute (4), length: 6, Value: 172.22.0.6
0x0000: ac16 0006
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000
17:28:41.241146 IP (tos 0x0, ttl 128, id 38683, offset 0, flags [none], proto UDP (17), length 126)
172.30.1.6.1812 > 172.22.0.6.51901: [udp sum ok] RADIUS, length: 98
Access-Challenge (11), id: 0x0e, Authenticator: f702caf950bb29a9b5e74ed9f5de7033
Reply-Message Attribute (18), length: 40, Value: Enter Your Microsoft verification code
0x0000: 456e 7465 7220 596f 7572 204d 6963 726f
0x0010: 736f 6674 2076 6572 6966 6963 6174 696f
0x0020: 6e20 636f 6465
State Attribute (24), length: 38, Value: 230f9305-4fd7-42d2-b1aa-4087325bb55a
0x0000: 3233 3066 3933 3035 2d34 6664 372d 3432
0x0010: 6432 2d62 3161 612d 3430 3837 3332 3562
0x0020: 6235 3561
17:28:52.006493 IP (tos 0x0, ttl 64, id 26961, offset 0, flags [DF], proto UDP (17), length 131)
172.22.0.6.51901 > 172.30.1.6.1812: [bad udp cksum 0x59c1 -> 0xef23!] RADIUS, length: 103
Access-Request (1), id: 0x0e, Authenticator: 158a6158a5dbf57a293b7575d7056007
User-Name Attribute (1), length: 15, Value: robson.ferraz
0x0000: 726f 6273 6f6e 2e66 6572 7261 7a
User-Password Attribute (2), length: 18, Value:
0x0000: d04b 148a 39bb f44a 99e5 fa16 ee7d 12cf
NAS-IP-Address Attribute (4), length: 6, Value: 172.22.0.6
0x0000: ac16 0006
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000
State Attribute (24), length: 38, Value: 230f9305-4fd7-42d2-b1aa-4087325bb55a
0x0000: 3233 3066 3933 3035 2d34 6664 372d 3432
0x0010: 6432 2d62 3161 612d 3430 3837 3332 3562
0x0020: 6235 3561
17:28:54.543058 IP (tos 0x0, ttl 128, id 38684, offset 0, flags [none], proto UDP (17), length 94)
172.30.1.6.1812 > 172.22.0.6.51901: [udp sum ok] RADIUS, length: 66
Access-Accept (2), id: 0x0e, Authenticator: c397370ad041db540c533d99950eab7d
Class Attribute (25), length: 46, Value: ...l
0x0000: b6cb 0a6c 0000 0137 0001 0200 ac1e 0106
0x0010: 0000 0000 f548 95e7 467f 36fb 01d8 a2c2
0x0020: b05d 9d22 0000 0000 0000 00a7
My server NPS inform the firebox that the access was allowed. Could someone help me to find out the problem?
Comments
The default group name is SSLVPN-Users.
You can change the group name to be used in the SSLVPN setup but the name must match in the firewall config and in your NPS settings.
You need to have the NPS set up return the group name in FilterID, which is RADIUS attribute 11.
Hi Bruce Briggs , thanks for your attention. The name group thai is used in the SSLVPN setup is matching in the firewall config and in your NPS settings, with spaces, uppercase and lowercase letters. The NPS setup is returning the group name in Filter ID, with RADIUS attribute is 11.
Attributes:
Name Value
Class 11
Filter-Id Watchguard VPN SSL Iteris
Framed-Protocol PPP
Service-Type Framed
On FireBox, in Setup -> Authentication -> Users and Groups, the configuration of the group is bellow:
Name: Watchguard VPN SSL Iteris
Type: Group
Authentication Server: iteris.local
I Think all of the configurations are correct, but the FireBox returns a failure error saying the user is not in the group.
When I disable MFA, everything works ok.
I can't understand what is wrtong
I might of missed it, but have you validated the NPS server logs to see if the user is indeed being sent back the proper group that you have specified in NPS? I have one user for whatever reason not sending back the group to the firebox, but 30 other users in the same group working just fine. It seems like a bug in NPS. But the NPS log should for sure confirm that your matching the groups right.
Consider opening a support case to get help from a WG rep to resolve this.
Hi Robson,
I'm having the same issues.. When I go for OTP, the user is not granted access because the user is not part of the right group. Wireshark shows that the attribute is not being returned to the Firebox.
Also, the registry OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE is not working. SSLVPN client keeps asking for OTP token.
Kind regards,
Gary
Azure MFA authentication options.
PAP supports all authentication methods of Azure AD MFA:
CHAPV2 and EAP support only:
WG sslvpn uses PAP and IKEv2 uses CHAPv2.
WG mobilevpn needs from the radius server a Filter-ID attribute, so that it knows what policy’s it should open….
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension
“…when the MFA Extension is installed on the NPS server, the NPS is unable to send back user defined attributes to the RADIUS
clients when the users Auth Method requires the use of a One Time Passcode(OTP), such as SMS, Authenticator App Passcode or Hardware FOB.”
“regardless of the authentication protocol that's used (PAP, CHAP, or EAP), if your MFA method is text-based (SMS, mobile app verification code, or OATH hardware token) and requires the user to enter a code or text in the VPN client UI input field, the authentication might succeed.
But any RADIUS attributes that are configured in the Network Access Policy are not forwarded to the RADIUS client (the Network Access Device, like the VPN gateway).”
Luckily there’s a workaround.
“As a workaround, you can run the CrpUsernameStuffing script to forward RADIUS attributes that are configured in the Network Access Policy and allow MFA when the user's authentication method requires the use of a One-Time Passcode (OTP), such as SMS, a Microsoft Authenticator passcode, or a hardware FOB.”
https://github.com/OneMoreNate/CrpUsernameStuffing
https://www.youtube.com/watch?v=7be2yuOwUHs
For a quick test you can only configure in the ”Connection Request Policy” the mobilevpn Username with the right Filter-ID.