AuthPoint & Multiple Groups Per User

Something I find very frustrating is the fact a user can only be a member of one group within AuthPoint. This is causing administrative complexity when it comes to (for example) accessing resources such as the Access Portal (and using AuthPoint to authenticate), where there are a number of applications, and different combinations of users, using each app/set of apps:

App A
App B
App C
App D
App E

User 1
User 2
User 3
User 4
User 5
User 6

App A - All Users
App B - User 1,2,3
App C - User 4,5,6
App D - User 1,3,5
App E - User 1,2,5,6

In an ideal world (one where a certain well-known competitive product is available).. I'd just sync the equivalent AD groups into AuthPoint - regardless that a number of users belong to more than one group, and assign those groups to the Access Portal as necessary.

From what I can make out, I'd need a separate AuthPoint group for every possible combination of access - not very scalable, and complicated.

If Access Policies were done at the Resource level instead of on Groups - the whole problem goes away, if I read it right?

Cheers, James

All XTM, T-Series, M-Series, FireboxV, Firebox Cloud, Authpoint, Secure WiFi, Dimension, WSC, WatchGuard Cloud etc. Manage a few hundred devices.

-=Panda AD360=-


  • Daniele_MammanoDaniele_Mammano WatchGuard Representative

    Hello James,

    thanks for writing in the WatchGuard community.

    Regarding your post, this is something that our AuthPoint team is already evaluating.
    We have an internal request opened tracked under:

    • AAAS-5330: Allow Assigning Users/Groups to Resources

    that could avoid the conflict to have one user on different groups at the same time.

    Have a great day.
    -Daniele M.

  • Hi Daniele

    Good news, thanks - that'll be useful..

    Cheers, James

    All XTM, T-Series, M-Series, FireboxV, Firebox Cloud, Authpoint, Secure WiFi, Dimension, WSC, WatchGuard Cloud etc. Manage a few hundred devices.

    -=Panda AD360=-

  • This appears to still be a problem, or undelivered feature, over 18 months later. I just got locked out of my test server because I'm a member of both "domain admins" and "domain users". I guess the solution might be to create a new OU called Authpoint Groups to keep all of the authpoint specific groups in? This is a pretty big gotcha and, so far, the only thing uncovered during my testing of the product which gives me serious pause.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @chagerhg

    I'm a bit confused why you wouldn't give your "admins" at least the same access as your "users" group. Ensuring that your admins have access to whatever required resources they need should allow you to access resources as needed.

    Most issues have been addressed via the AuthPoint authentication policies since that initial post:
    (About AuthPoint Authentication Policies)

    -James Carson
    WatchGuard Customer Support

  • This is no longer an issue with the authentication policies... at least for LDAP synced accounts.

  • A simple user, who is member of multiple Active Directory Groups don't get applied multiple Authentication Policies correctly. Any work around to solve it?.

    -Authpoint Group A. Sync with AD Group A. Members: Jim, Matheus
    -Authpoint Group B. Sync with AD Group B. Members: Jim, Ana
    -Authentication Policy1: let Authpoint Group A users to authenticate on RDP sessions.
    -Authentication Policy2: let Authpoint Group B users to authenticate on SSH sessions using Radius.


    • Policy1 work OK for Jim and Matheus.
    • Policy2 work OK for Ana but DO NOT WORK FOR Jim.

    Any help ?.

  • I'm seeing this issue as well.

    I've been using AuthPoint for VPN MFA, but now want to also use it for another app where all VPN users may not be assigned use of this 2nd app. Or the new app user may not have VPN access permissions.

    When I add another group to sync from AD, the original group membership for VPN gets removed when the user is updated with the new app permissions.

    I'll put in a support ticket and hopefully come up with a solution or workaround.

Sign In to comment.