Problems authentication of MS NPS RADIUS and MS MFA FireBox

Hi everyone,

I'm setuping a connection FireBox VPNSSL with authentication via MS NPS RADIUS and MS MFA. When I try to conect using Firebox SSL client it returns the messages bellow:

2022-08-02 08:55:45 admd Authentication of SSLVPN user [robson.ferraz@iteris.local] from 179.191.101.70 was rejected, user isn't in the right group msg_id="1100-0005" Event
2022-08-02 08:55:45 wgcgi SSL VPN user robson.ferraz@iteris.local from 179.191.101.70 was rejected - Unspecified. Debug

My MS NPS server is configured to allow connections only for a specific security group. I configured a security group in "Users and Groups" in FireBox, and when I check the event viewers, all of the logs inform that the connection of the user was accepted and alloed the connection, but FireBox doesn't allow the access.

If I configure a user login in FireBox, without a group, the connection is stablished without problems.

I enabled “Diagnostic Tasks” TCP Dump and I put the Argument “-i eth0 host 172.30.1.6 -vv” and it returned the result bellow:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:28:39.605159 IP (tos 0x0, ttl 64, id 24635, offset 0, flags [DF], proto UDP (17), length 93)
172.22.0.6.51901 > 172.30.1.6.1812: [bad udp cksum 0x599b -> 0x6524!] RADIUS, length: 65
Access-Request (1), id: 0x0e, Authenticator: 69b29144c4df200caf308e7e5be95c33
User-Name Attribute (1), length: 15, Value: robson.ferraz
0x0000: 726f 6273 6f6e 2e66 6572 7261 7a
User-Password Attribute (2), length: 18, Value:
0x0000: 0c0e 6006 6352 a43b 8b3a 01db 3019 a4c6
NAS-IP-Address Attribute (4), length: 6, Value: 172.22.0.6
0x0000: ac16 0006
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000
17:28:41.241146 IP (tos 0x0, ttl 128, id 38683, offset 0, flags [none], proto UDP (17), length 126)
172.30.1.6.1812 > 172.22.0.6.51901: [udp sum ok] RADIUS, length: 98
Access-Challenge (11), id: 0x0e, Authenticator: f702caf950bb29a9b5e74ed9f5de7033
Reply-Message Attribute (18), length: 40, Value: Enter Your Microsoft verification code
0x0000: 456e 7465 7220 596f 7572 204d 6963 726f
0x0010: 736f 6674 2076 6572 6966 6963 6174 696f
0x0020: 6e20 636f 6465
State Attribute (24), length: 38, Value: 230f9305-4fd7-42d2-b1aa-4087325bb55a
0x0000: 3233 3066 3933 3035 2d34 6664 372d 3432
0x0010: 6432 2d62 3161 612d 3430 3837 3332 3562
0x0020: 6235 3561
17:28:52.006493 IP (tos 0x0, ttl 64, id 26961, offset 0, flags [DF], proto UDP (17), length 131)
172.22.0.6.51901 > 172.30.1.6.1812: [bad udp cksum 0x59c1 -> 0xef23!] RADIUS, length: 103
Access-Request (1), id: 0x0e, Authenticator: 158a6158a5dbf57a293b7575d7056007
User-Name Attribute (1), length: 15, Value: robson.ferraz
0x0000: 726f 6273 6f6e 2e66 6572 7261 7a
User-Password Attribute (2), length: 18, Value:
0x0000: d04b 148a 39bb f44a 99e5 fa16 ee7d 12cf
NAS-IP-Address Attribute (4), length: 6, Value: 172.22.0.6
0x0000: ac16 0006
NAS-Port Attribute (5), length: 6, Value: 0
0x0000: 0000 0000
State Attribute (24), length: 38, Value: 230f9305-4fd7-42d2-b1aa-4087325bb55a
0x0000: 3233 3066 3933 3035 2d34 6664 372d 3432
0x0010: 6432 2d62 3161 612d 3430 3837 3332 3562
0x0020: 6235 3561
17:28:54.543058 IP (tos 0x0, ttl 128, id 38684, offset 0, flags [none], proto UDP (17), length 94)
172.30.1.6.1812 > 172.22.0.6.51901: [udp sum ok] RADIUS, length: 66
Access-Accept (2), id: 0x0e, Authenticator: c397370ad041db540c533d99950eab7d
Class Attribute (25), length: 46, Value: ...l
0x0000: b6cb 0a6c 0000 0137 0001 0200 ac1e 0106
0x0010: 0000 0000 f548 95e7 467f 36fb 01d8 a2c2
0x0020: b05d 9d22 0000 0000 0000 00a7

My server NPS inform the firebox that the access was allowed. Could someone help me to find out the problem?

Comments

  • edited August 2022

    The default group name is SSLVPN-Users.
    You can change the group name to be used in the SSLVPN setup but the name must match in the firewall config and in your NPS settings.
    You need to have the NPS set up return the group name in FilterID, which is RADIUS attribute 11.

  • Hi Bruce Briggs , thanks for your attention. The name group thai is used in the SSLVPN setup is matching in the firewall config and in your NPS settings, with spaces, uppercase and lowercase letters. The NPS setup is returning the group name in Filter ID, with RADIUS attribute is 11.

    Attributes:
    Name Value
    Class 11
    Filter-Id Watchguard VPN SSL Iteris
    Framed-Protocol PPP
    Service-Type Framed

    On FireBox, in Setup -> Authentication -> Users and Groups, the configuration of the group is bellow:

    Name: Watchguard VPN SSL Iteris
    Type: Group
    Authentication Server: iteris.local

    I Think all of the configurations are correct, but the FireBox returns a failure error saying the user is not in the group.

    When I disable MFA, everything works ok.

    I can't understand what is wrtong

  • I might of missed it, but have you validated the NPS server logs to see if the user is indeed being sent back the proper group that you have specified in NPS? I have one user for whatever reason not sending back the group to the firebox, but 30 other users in the same group working just fine. It seems like a bug in NPS. But the NPS log should for sure confirm that your matching the groups right.

  • Consider opening a support case to get help from a WG rep to resolve this.

Sign In to comment.