Radius authentication works when authenticating manual on windows but not with logged in credentials

Hi everyone,

I'm trying to get windows to connect to the Watchguard trough IKEv2.
If i connect manually to the VPN and enter my credentials, everything works fine.
If check the "Automatically use my windows logon name and password", it does not work...
This is the log from the succesfull login:
<Event> <Timestamp data_type="4">10/18/2022 13:51:29.025</Timestamp> <Computer-Name data_type="1">RADIUSSERVER</Computer-Name> <Event-Source data_type="1">IAS</Event-Source> <Service-Type data_type="0">2</Service-Type> <Framed-Protocol data_type="0">1</Framed-Protocol> <User-Name data_type="1">username</User-Name> <NAS-IP-Address data_type="3">WatchguardIP</NAS-IP-Address> <NAS-Port data_type="0">0</NAS-Port> <Client-IP-Address data_type="3">WatchguardIP</Client-IP-Address> <Client-Vendor data_type="0">0</Client-Vendor> <Client-Friendly-Name data_type="1">WG-M590</Client-Friendly-Name> <Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name> <Provider-Type data_type="0">1</Provider-Type> <SAM-Account-Name data_type="1">DOMAIN\username</SAM-Account-Name> <Authentication-Type data_type="0">4</Authentication-Type> <Class data_type="1">311 1 RadiusIP 10/14/2022 02:01:49 199179</Class> <Fully-Qualifed-User-Name data_type="1">DOMAIN/path/FullName</Fully-Qualifed-User-Name> <NP-Policy-Name data_type="1">VPN Policy</NP-Policy-N> <Packet-Type data_type="0">1</Packet-Type> <Reason-Code data_type="0">0</Reason-Code> </Event>

And this is the log with the failed attempt:
<Event> <Timestamp data_type="4">10/18/2022 13:51:04.716</Timestamp> <Computer-Name data_type="1">RADIUSSERVER</Computer-Name> <Event-Source data_type="1">IAS</Event-Source> <Class data_type="1">311 1 RadiusIP 10/14/2022 02:01:49 199155</Class> <Authentication-Type data_type="0">4</Authentication-Type> <Fully-Qualifed-User-Name data_type="1">DOMAIN\username</Fully-Qualifed-User-Name> <Client-IP-Address data_type="3">WatchguardIP</Client-IP-Address> <Client-Vendor data_type="0">0</Client-Vendor> <Client-Friendly-Name data_type="1">WG-M590</Client> <SAM-Account-Name data_type="1">DOMAIN\username</SAM-Account-Name> <Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name> <Provider-Type data_type="0">1</Provider-Type> <Packet-Type data_type="0">3</Packet-Type> <Reason-C ode data_type="0">16</Reason-Code> </Event>

I think it has something to do that the setting to use the windows-credentials send "DOMAIN\username" instead of "username". But i have no idea how i can fix this.

Do you guys have an idea?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BKG

    The firewall will attempt to interpret the domain name as the server name and match it against its internal list of authentication servers. WIndows will often try to append the doman after the user via UPN style (user@domain.xyz for example) which the firebox won't know what to do with.

    If you can get windows to just supply the username, that would likely work the best.

    -James Carson
    WatchGuard Customer Support

  • Hi,

    Yep, Windows sends the windows-credentials as: "DOMAIN\username”
    notice the capital letters…

    So if you want to use the "Automatically use my windows logon name and password" mode with the IKEv2. Configure the domain name with capital letters in the radius settings.

    see attached images.

Sign In to comment.