Mobile VPN SSL with AuthPoint MFA
Hello,
I am experiencing issues with RADIUS authentication on my WatchGuard T35 when integrating it with AuthPoint MFA. Despite entering the correct username and password, the authentication process fails, and I do not receive a push notification on my phone for MFA approval. I had this working previously using the same equipment so I know that it is possible.
Current Setup:
Device: WatchGuard T35
Authentication Method: RADIUS with AuthPoint MFA
RADIUS Server: Installed on a Windows Server 2019 machine
MFA Method: Push notifications via AuthPoint mobile app
Attached are two log files that were created by Authpoint Gateway on my Server.
Error Messages:
Below are the relevant log entries from the WatchGuard AuthPoint Gateway:
text
2024-11-20 12:09:36 INFO [pool-3-thread-1] c.w.a.p.a.r.r.r.u.RadiusProcessRequestThread - Request received from 10.10.10.1
2024-11-20 12:09:36 INFO [pool-3-thread-1] c.w.a.p.a.r.r.r.u.RadiusProcessRequestThread - Processing common authentication...
2024-11-20 12:09:36 ERROR [pool-3-thread-1] c.w.a.p.a.r.b.s.r.a.AuthenticationFlowImpl - Authentication request failed - Protocol: pap - Username: sbickle99 - HostName: removed - HostAddress: removed.
2024-11-20 12:09:46 INFO [pool-3-thread-2] c.w.a.p.a.r.r.r.u.RadiusProcessRequestThread - Request received from 10.10.10.1
2024-11-20 12:09:46 INFO [pool-3-thread-2] c.w.a.p.a.r.r.r.u.RadiusProcessRequestThread - Processing common authentication...
2024-11-20 12:09:56 INFO [pool-3-thread-3] c.w.a.p.a.r.r.r.u.RadiusProcessRequestThread - Request received from 10.10.10.1
2024-11-20 12:09:56 INFO [pool-3-thread-3] c.w.a.p.a.r.r.r.u.RadiusProcessRequestThread - Processing common authentication...
Steps Taken So Far:
RADIUS Configuration: I have verified that the shared secret between the WatchGuard T35 and the RADIUS server is correct and matches on both sides.
Group Configuration: I ensured that the Filter-ID attribute is configured correctly in both the RADIUS server and WatchGuard T35 for group-based access control.
MFA Enrollment: The user sbickle99 is enrolled in AuthPoint and has set up push notifications on their mobile device, but no push notifications are received during authentication attempts.
Authentication Protocol: The logs indicate that PAP is being used for authentication (Protocol: pap). I understand that PAP is supported by WatchGuard for certain VPN configurations, but I am unsure if this is causing the issue with MFA integration.
Port Conflicts: I have checked for port conflicts on UDP port 1812 (the default RADIUS port) and ensured that no other services are using this port.
Network Connectivity: There are no firewall rules blocking traffic between the WatchGuard T35, RADIUS server, or AuthPoint Cloud.
Are there any specific RADIUS attributes or Vendor-Specific Attributes (VSAs) required by WatchGuard T35 when working with AuthPoint MFA that I might be missing?
Could there be any additional configuration steps needed in either the AuthPoint Gateway or the RADIUS server to ensure proper communication and push notification delivery?
TIA
*removed attachments - JC
Comments
Hi @Stubborn
I don't see any RADIUS requests in your RADIUS logs, so it's likely traffic isn't making it there via RADIUS.
If you haven't already done so, I'd suggest opening a support case so that one of our reps can go over the configuration with you. The most common reason I see RADIUS not working is when both NPS and AuthPoint's RADIUS server are both configured for port 1812.
-James Carson
WatchGuard Customer Support
Hi James,
Thanks. I discovered earlier today that the NPS and AuthPoint RADIUS server were both configured for port 1812. I made some adjustments but it's still not working.
I will go ahead and start a support case.
Cheers!