Options

Multiple Authentication Servers for ikev2 MUVPN failing

AhcomputAhcomput
in Firebox - VPN Mobile User

I'm attempting to migrate users for ikev2 muvpn from firebox-db users to RADIUS / AD Authentication. I have confirmed my RADIUS setup is working.
I will be moving these users in batches as I coordinate with them but for now would like to keep some authenticating against firebox-db and others against the RADIUS server (Windows 2019 with NPS) as I move them over.
The issue I'm having is a RADIUS/ AD User cannot authenticate if the default Authentiation Server is set to Firebox-DB (in the muvpn ikev2 settings in WSM) even though I have the RADIUS server also ticked off as an authentication server. Checking the logs it appears this user is trying to authenticate as a Firebox-db user (user@firebox-db) instead of the RADIUS/ AD user (user@radiusdomain).
If I change the default authentication server to the RADIUS / AD Server, these AD users can authenticate, but none of the firebox-db users. Logs here show all users attempting to authenticate as RADIUS domain (user@radiusdoman vs user@firebox-db)instead of the firebox-db user they currently belong to. Any help resolving this is appreciated.

Comments

  • Options
    Bruce_BriggsBruce_Briggs

    You need to include info for the alternate auth server in the login name.

    To use an authentication server other than the default one:

    Firebox-DB — Firebox-DB\j_smith

    RADIUS (Fireware v12.5 or higher) — rad1.example.com\j_smith or RADIUS\j_smith. You must type the domain name specified in the RADIUS settings on Firebox.

    See the "To use another authentication server" section, here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html

  • Options
    AhcomputAhcomput
    Bruce,

    I hope you get a lot of WG schwag for all the contributions you make to this WG community. (Or free renewals for your “total” security subscriptions.

    I’ll test this out tomorrow but suspect your guidance is correct. I was hoping to “have my cake and eat it too” without having to change each user’s login credentials to move them over to another auth server and then go back and remove the authserver\ prefix once I’ve moved them over. But it is what it is. At least I can test this way. My ultimate goal is to provide azure ad mfa for vpn logins via the windows nps entra id extension.
  • Options
    AhcomputAhcomput

    Confirmed, this worked. Thanks again for the info.

Sign In to comment.