Unable to VPN to Firebox using Passwordless authentication with the new SAML Entra feature
I've followed this guide here and confident I've configured everything correctly - https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html?tocpath=Self-Help Tools|Integration Guides|General|_____1
I downloaded the latest version of the Mobile VPN software which allows the SAML option to be selected. I enter the hostname in the Mobile VPN software, select the SAML option, this triggers the authentication process with Entra which I complete using passwordless MFA which then returns this error:
AADSTS75011: Authentication method 'X509, MultiFactor, PasswordlessPhoneSignIn' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. Contact the Watchguard_SAML application owner.
Doing a quick search it would appear that the watchguard is expecting me to authenticate using a username and password and because I haven't done that (I've authenticated successfully but using Passwordless MFA) it then doesn't accept this method.
Is it likely I have something set wrong, anyone aware of a workaround or setting I could change to allow this? Do we need to wait for Watchguard to accept this as a valid authentication method.
Appreciate any feedback / insight anyone can offer.
Comments
This probably should be moved to "Firebox - VPN Mobile User"
WG doesn’t support Entra ID Passwordless authentication.
You need to give Username & Password, you can then use a Security Key (Yubikey) or MS Authenticator as 2FA.
Stupid yes, seems that the WG Product Managers for Authentication are not up to date for what customers need and want nowadays...
Hi @SamSpronk, @kimmo.pohjoisaho
There is a feature request open for this. It is SASE-2986.
If that's something you want to see in the future, I'd strongly suggest making a support case and mentioning SASE-2986. The product managers do not frequent the forums here.
-James Carson
WatchGuard Customer Support
FYI I opened a support case to follow that feature request and the support engineer logged it against this feature request instead which might help:
FBX-28331- Support passwordless authentication with SAML
Hi @PhilT_VIT
I checked and they're linked together -- so either or will work. The technicians usually prefer the FBX items, but either will show the PMs that there's interest in that feature.
-James Carson
WatchGuard Customer Support
Thanks, I've just added a support case referencing the above case IDs