SSLVPN + Authpoint needs to work over CGNAT

SpencerSpencer
in AuthPoint - Product Enhancements

My company decided to implement MFA for the VPN connections of users working remotely. We chose Authpoint because it integrated with our existing Watchguard Firebox and SSLVPN solution.

Some users could not use the mobile app so we purchased some hardware tokens. It just so happens that one of these users has T-Mobile 5G Internet which uses carrier-grade NAT.

When the user connects with their user name and password, they are prompted for the code from the hardware key, and they enter it. But because of the carrier grade NAT, the second response comes from a different IP address from the first response and the authentication is rejected.

I had a Watchguard support case stretch out over a couple of weeks where we tried various alternatives, and the only thing that worked was moving the user off of Authpoint and authenticating directly with the Firebox using user name and password.

More and more Internet providers are going to start using carrier-grade NAT to save costs and so Watchguard is going to have to deal with this.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Spencer
    I'd suggest asking the technician in the case that you're working on for an enhancement -- they can that request to the case you already have open.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.