Allow Domain in RADIUS requests

Presently, computer / user name must be stripped of domain in any context. This complicates things like group policy deployed VPN which would otherwise work perfectly with zero touch using Windows' built-in AD-based SSO mechanisms. All those built-in mechanisms (cert or password) include the domain name with no way to strip it at runtime.

Use case:

Working on implementing a multi-department VPN + WiFi solution that splits the authentication back-end based on user or computers' domain. This works perfectly with a simple regex for WiFi (UBNT) already, but for Watchguard VPN the front-end RADIUS server has to be individually told every user it should forward over to that department's RADIUS server, instead of just looking at the domain.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Kyle,

    The issue with this is that the firebox SSLVPN uses the backslash to differentiate from the default authentication server. If you type in example.com\user the firewall will interpret this as you're trying to log in using AD server example.com and not your configured RADIUS server.

    (Install and Connect the Mobile VPN with SSL Client)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html

    Your best best would likely be to use the user's email address, as that will pass the domain in a way that the firewall will ignore. Like user@example.com.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Interesting. I think this would be possible to implement by changing the behavior for non-compliant VPN types e.g. IKEv2, or if direct AD authentication can be configured for IKEv2 instead of RADIUS.

    Now wonder if Windows-integrated SSO VPN can be told to use UPN instead of legacy logon name as its credential.

  • Doesn't Windows use SSTP? In which case it wouldn't work with an OpenVPN-based solution? Be nice if it did, or if WG introduced SSTP support.. although bear in mind that SSTP is user-based, not device based..

    All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).

  • Windows has built-in support for L2TP/IPSec, IKEv2, and SSTP. All can use either user or computer based auth with the right NPS (Windows Server RADIUS implementation) profile.

    This may change with a third-party device in the mix instead of going directly to a Windows Server VM running Routing and Remote Access e.g. Watchguard may not like the formatting of computer usernames (have not tested)

    There is a setting in Windows to use the active user's credentials for the VPN, but it uses legacy format domain\user while in this context Watchguard is expecting either user or user@domain.com.

Sign In to comment.