Clarification on RADIUS settings

I would like some clarification on the capabilities of RADIUS Authentication when it comes to IKEv2 VPN access.

I have successfully been able to configure the RADIUS/NPS settings for both the Firewall and our local AD Server. I can Manually add **Users **to the RADIUS Group in the Firewall and they will successfully authenticate.

My question is, since I setup a user Group in AD called "Staff-RADIUS" should i just be able to add that same group to the Firewall as a Group and anyone in the group should be able to authenticate via RADIUS, Or do I really need to add every user in our domain that needs to be able to use the RADIUS Authentication?


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Uncluesteve
    The firewall will look for the group information in RADIUS attribute 11 (Also called "FilterID" sometimes) -- so if whatever group you specified is there, you don't need to add them to the group in the firewall.

    If you're using Microsoft's NPS, you can set it up to respond with your group name as attribute 11 across the board, or if the user meets specific criteria. If you're using another RADIUS server, see the documentation for it to see if it'll reply with info populated in attribute 11.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.