Unable to add active directory auth server for IKEV2
Hi,
I am attempting to setup a new IKEV2 mobile vpn and I am unable to tick the AD auth server tab. It is greyed out...
0
Sign In to comment.
Hi,
I am attempting to setup a new IKEV2 mobile vpn and I am unable to tick the AD auth server tab. It is greyed out...
Comments
AD authentication is not an option.
You can use RADIUS, which can then access your AD.
Mobile VPN with IKEv2
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_about_c.html
For more info, see this:
RADIUS Authentication with Active Directory For Mobile VPN Users
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/radius_a-d_mvpn_l2tp-pptp_c.html
This is specifically due to how the password is encoded in transit. RADIUS is required so that the firebox can hand the hashed password off to the authentication server without tampering with it. It keeps the password secure and protects the users. This usually ends up being via NPS since it's a role that's available for any recent Windows server. It's also possible to use other solutions such as FREERADIUS if you prefer.
If you'd prefer to use straight AD authentication, the IPSec (IKEv1) and SSLVPN VPNs will be your best option. Since we have our own clients for those options, we can control how the password is encoded and pass it off to AD directly.
-James Carson
WatchGuard Customer Support
Thanks for the comments, I was beginning to think the was the case. So would I create the Radius server or do clients usually have their own radius server already setup for such things?
on the customers AD Windows server just configure a Network Policy and Access Services role (NPS) service.
How to setup NPS, just google example “windows NPS install” and you will find a lot of How to setup a NPS guides, like this one:
https://www.sysadmintutorials.com/tutorials/microsoft/windows-2008-r2/how-to-install-and-configure-network-policy-server-nps/
read also “Configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory”
https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZlhSAG&type=KBArticle