Firebox Admin authentication using Windows NPS AD Group user

Hello All,

I'm attempting to setup a M470 HA Pair so that I can login using Radius and a user within and Active Directory Group. I have done the following but seem to be missing something (Bold below).

Firebox I have setup Authentication server - Radius - Server IP, Port 1812, Shared Secret

Windows NPS I have configured

  • Radius clients, Created a client using IP addr, Radius standard, Shared Secret

  • Network policy - Enabled and Grant Access,

  • Conditions pointing to User Group Network Admins, Authentication methods,MSChap2, MS Chap,
  • Setting Radius Attributes (Not sure what to put here)

On the Firebox I assume once I have the above settings correct I can then go to Authentication Settings and Set the Default Authentication to my Radius Domain.

has anyone got some guidance they can share?

Thanks David

Comments

  • Also If I enable the Authentication via Radius instead of Firebox DB will I lock myself out or will the local admin account still be valid?

  • Have you added this user to the "Manage Users and Roles"on your firewall config ?
    Manage Users and Roles on Your Firebox
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/role-based_admin/device-rba_users-roles_c.html

    Your current firewall admin account should still work until it is deleted.

  • Hi Bruce,

    I appreciate you helping out.

    Re your feedback I'm not sure I understand. My thought process is that I would be authenticating against a user defined in Active Directory via Windows NPS (how I have it setup on other devices). The goal is to have a Windows AD group of users that we can centrally manage admin. When a NetAdmin joins we create them a user account on windows and they have Admin access to all Network devices.

    On other Network devices I setup a Radius Server profile then on NPS I create a Policy which takes the entered username and references againts and AD group of users.

    I've setup as per above and when logging in select Radius as the Auth Server but not seeing any Radius packets leaving the Firewall to the Radisu server. I'm missing something.

    I can find info on setting up VPN access etc.. but nothing on the Watchguard Admin.

    Regards
    David

  • You would need to add your AD or Windows NPS RADIUS info to your firewall authentication server settings, then add a user name which is on one of those servers to the firewall Users and Roles.
    When the user tries to log on the the firewall as an admin, then user's password would be checked against the AD or Windows NPS RADIUS server.
    AFAIK, there is no way to not add the user name to the firewall Users and Roles for admin access.

  • Hi @DaveRC

    If this is about access for firewall management, and if you have the resources (Windows Server); I'd recommend installing WatchGuard Management Server which will not only allow you to centrally manage your Fireboxes (and keep an audit trail/backup of the configurations), but also allows for Role-Based Access using AD groups/users etc. Some groups may have read-only access to all devices, some with admin to specific, or all etc.

    If the server it's installed on is part of the domain, then there's no need to worry about RADIUS, NPS, LDAP etc. (at least for management). If you've not seen it, you can get started here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/installation/set-up_wsm.html

    Hope that helps.. (it might not!)

    Cheers, James

    All Fireboxes (T-Series, M-Series, FireboxV, Firebox Cloud etc.); EPDR, Advanced EPDR/Cytomic, Orion (Threat Hunting); WiFi, AuthPoint. WSC/Cloud. Management of a few hundred Fireboxes, and a few thousand EPDR endpoints. Platinum Partner. Views my own (if any!).

Sign In to comment.