IPsec Mobile VPN setup with Microsoft MFA
I am trying to get MFA setup on the Mobile VPN client using IPsec.The firewall is setup at a datacenter with domain controllers which I currently have working to authenticate using active directory. There will be a S2S tunnel setup to our Azure Environment.
If possible I would like to use Microsoft MFA but I can't seem to find good instructions on what I need to do to get that working.
0
Sign In to comment.
Comments
Hi @jfaz11
If you're using the IPSec VPN, setup will be about the same as AuthPoint (as in you'll need to use RADIUS to do this.
See:
(Firebox Mobile VPN with IPSec Integration with AuthPoint)
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ipsec-vpn-radius_authpoint.html
The RADIUS server you point to will need to reply with the group the VPN is looking for as RADIUS attribute 11 (also known as FilterID) -- the group name is whatever the profile name is that you made in the IPSec setup.
-James Carson
WatchGuard Customer Support
If you are able to use a Windows NPS setup in your datacentre environment this might be possible (you install the Azure MFA extension to NPS), however this only works with the "Notification" option in Entra ID MFA (formerly Azure AD MFA), since there is no way to pass a response back to the RADIUS server - which you would configure as a RADIUS authentication server on the Firebox.
Should you do this, stage a new NPS server otherwise all requests to the NPS server triggers a MFA challenge/response (which for say WiFi you do not want).
Edit https://techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA22A000000XZlhSAG&type=KBArticle is the WatchGuard KB article for setting up Windows NPS with the Firebox for RADIUS authentication.