Would be very neat if we could utilize Firebox-DB for AuthPoint, especially for smaller clients who don't have AD or have the need to run a Radius server (In a P2P environment).
Fireware 12.5 Update 1 build 599856
WSM 12.5 build 596863
ISP = Spectrum Cable 100 x 10 service
Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2
You can't use FIrebox-DB, however you can make users on Authpoint manually, which will accomplish the same thing: Having the user exist without an LDAP server.
*Note that this will not work for office 365, as that type of account requires a UUID made by an active directory server.
WatchGuard Customer Support
I must be missing something here. How does having a manually-added user in AuthPoint allow someone to log into the firewall with 2FA, if there are no Firebox-DB users that match? Or is that not what you meant by "You can't use FIrebox-DB"?
You'd have to use a manual user list in Authpoint, but it doesn't require AD. It's basically the firebox-db but in the cloud.
So how would that AuthPoint cloud database tie into a login attempt on the Firebox to do 2FA?
Firebox-DB would not tie in, you would need to use the Authpoint database instead. This would, however, allow you to use MFA without having an agent or having an AD server, which is what the customer mentioned was the limiting factor.
I use my Windows RADIUS server in Active Directory and Duo 2FA with my SSLVPN. I log into my Firebox, then it does its 2FA and I get a push notice in Duo on my phone. I OK it, and the SSLVPN connects.
In a non-AD, non-RADIUS setup such as the OP mentioned, I cannot grasp how AuthPoint would be the second factor if it has no tie-in to the Firebox I am logging into for the SSLVPN. With what you described, what would be the SSLVPN login process?
Hi Greg, SSLVPN would connect via RADIUS (The Authpoint Gateway acts as the local radius server.)
Hmm. I am going to have to fix my AuthPoint setup and test it. It says my licenses are expired or something like that. Haven't looked it for a while, but it works with logging into this site and the support site.
With a local Gateway as RADIUS server this works indeed as it's not dependent on AD. I'd recommend naming your AuthPoint group case sensitive "SSLVPN-Users" as that's the default group being used by the Firebox. Once that works you can change it on both ends if you like.