Multiple groups

Hi

Are there any plans to support multiple user groups for MS AD users?

Robert

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen
    At this time there are no plans on supporting multiple groups per user inside of AuthPoint.

    -James Carson
    WatchGuard Customer Support

  • @james.carson

    Thanks. My issues is the groups assigned to users in the Authpoint portal (in this case my self) seems to change from time to time when a sync from ldap AD are done (every 30 minuttes) when the user(s) are member of multiple groups in AD.

    I think this happened after i upgraded AuthPoint gateways to 7.2.1-649.

    This has caused my ikev2 connections to firebox to report "user not in right group" sometimes. For now i have fixed it by creating these groups on the FB and added it as a ikev2 authentication group as allowed.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen
    I'd suggest opening a support case so that we can look into what's happening. Users generally should not be swapping groups in the manner you're describing, and we'd need to look at the LDAP sync logs on the system to determine what's going on there.

    -James Carson
    WatchGuard Customer Support

  • edited September 2023

    @james.carson

    I´ll do.

    Do you know what this error means when connection with ikev2 and authentication is done through Authpoint to MS NPS?

    2023-09-07 21:35:20 admd ready to end authentication session with error code 38
    admd RADIUS: retrieve VP:MS-CHAP-Error(20381698)

    I have a feeling it has something to do with group membership, but the same user connecting with sslvpn works.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen the error "MS-CHAP-Error(20381698)" is likely just being piped in from the response of your NPS server.
    I would suggest looking in your authentication logs on that server to see if there's any more info.

    -James Carson
    WatchGuard Customer Support

  • I dig deeper. Thanks.

  • @james.carson

    Ended up using tcpdump which showed me this error:
    VSA: t=MS-CHAP-Error(2) l=16 val=\000E=691 R=0 V=3

    I am not sure what caued it in the end, but i went over all settings in AuthPoint and NPS and at the same time got MS-chapv2 enabled in NPS, and now it is working from my Apple device.

    The nps logs did not show anything interesting, nor did Fireware - only tcpdump gave me a useful message.

    Which leads me to this question: I see Fortinet and Sonicwalls do show the actual NPS error message as above instead of Firewares error code 38 and MS-CHAP-Error(20381698).
    Could this be a bug in Fireware do not interpret the returned NPS string correct?

    /Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Robert_Vilhelmsen

    It looks like we do supply some info if the log level is turned up to WARNING and the reason is a recognized one.

    https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_8.pdf (see page 110-11)

    I would not expect the firebox to pipe the exact output of the error into the firebox logs, mostly due to that being a potential vector for an exploit/abuse.

    If NPS isn't logging it's own error, I'd suggest that the problem might lie there.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.