Utilize AuthPoint with Firebox-DB

Would be very neat if we could utilize Firebox-DB for AuthPoint, especially for smaller clients who don't have AD or have the need to run a Radius server (In a P2P environment).

Comments

  • I agree.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @CrazyCDN
    You can't use FIrebox-DB, however you can make users on Authpoint manually, which will accomplish the same thing: Having the user exist without an LDAP server.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/add-users-manually.html

    *Note that this will not work for office 365, as that type of account requires a UUID made by an active directory server.

    -James Carson
    WatchGuard Customer Support

  • James,

    I must be missing something here. How does having a manually-added user in AuthPoint allow someone to log into the firewall with 2FA, if there are no Firebox-DB users that match? Or is that not what you meant by "You can't use FIrebox-DB"?

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • James_CarsonJames_Carson WatchGuard Representative

    Hi Greg,

    You'd have to use a manual user list in Authpoint, but it doesn't require AD. It's basically the firebox-db but in the cloud.

    -James Carson
    WatchGuard Customer Support

  • So how would that AuthPoint cloud database tie into a login attempt on the Firebox to do 2FA?

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • James_CarsonJames_Carson WatchGuard Representative

    Hi Greg.

    Firebox-DB would not tie in, you would need to use the Authpoint database instead. This would, however, allow you to use MFA without having an agent or having an AD server, which is what the customer mentioned was the limiting factor.

    -James Carson
    WatchGuard Customer Support

  • James,

    I use my Windows RADIUS server in Active Directory and Duo 2FA with my SSLVPN. I log into my Firebox, then it does its 2FA and I get a push notice in Duo on my phone. I OK it, and the SSLVPN connects.

    In a non-AD, non-RADIUS setup such as the OP mentioned, I cannot grasp how AuthPoint would be the second factor if it has no tie-in to the Firebox I am logging into for the SSLVPN. With what you described, what would be the SSLVPN login process?

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • James_CarsonJames_Carson WatchGuard Representative

    Hi Greg, SSLVPN would connect via RADIUS (The Authpoint Gateway acts as the local radius server.)

    -James Carson
    WatchGuard Customer Support

  • Hmm. I am going to have to fix my AuthPoint setup and test it. It says my licenses are expired or something like that. Haven't looked it for a while, but it works with logging into this site and the support site.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • MartijnNMartijnN WatchGuard Representative

    With a local Gateway as RADIUS server this works indeed as it's not dependent on AD. I'd recommend naming your AuthPoint group case sensitive "SSLVPN-Users" as that's the default group being used by the Firebox. Once that works you can change it on both ends if you like.

  • AuthPoint support directly inside the Firebox, without the need of the AuthPoint Gateway, is coming up in Q4. Stay tuned!

  • @Alexandre_Cagnoni said:
    AuthPoint support directly inside the Firebox, without the need of the AuthPoint Gateway, is coming up in Q4. Stay tuned!

    Now you're just talking dirty to me.

    Will this be in a Fireware beta, or a separate AuthPoint beta?

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.