Skip RADIUS and authenticate users via Azure
Hi All,
Is it possible to skip the RADIUS part of the ssl-vpn login and go directly to azure for authenticating our users?
We currently use RADIUS (NPS for Windows) to authenticate and we use the Azure extension and achieve 2FA which is all very nice, but it would be much simpler to skip RADIUS and go straight to Azure for authentication and it will make things much easier for IT.
I saw this article but it references the IKE-VPN so not sure if this will work for mobile ssl vpn https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Azure-firebox-ipsec-vpn-active_directory.html
Thanks
Stuart
1
Sign In to comment.
Comments
You can specify the authentication server in front of the username for SSLVPN.
See:
(Download, Install, and Connect the Mobile VPN with SSL Client)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_client-install_c.html#ConnectClient
(there are examples for each server type near the area where the link skips to)
You can also change the default auth server in your SSLVPN settings, which will change what the default server tried is.
-James Carson
WatchGuard Customer Support
Firebox and its sslvpn supports Azure AD authentication with LDAPS
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Azure-firebox-ssl-vpn-active_directory.html
But you need also ”Azure AD Domain Service” in Azure….
Better solutions with sslvpn would be to use Fireware 12.7.1 or later and WatchGuard AuthPoint MFA as it supports Azure AD user sync, no on-prem radius install needed.
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ssl-vpn-radius_authpoint.html?tocpath=Self-Help Tools|Integration-Guides|AuthPoint|_____4
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/external-identity_azure-ad.html
Thanks both,
James, I'm, asking to skip RADIUS by not using it and instead authenticating directly with Azure, sorry if I wasn't clear on that - I know how to authenticate via username to my 2nd auth server.
Kimmo, thats all very well but authpoint costs per user whereas the Microsoft auth app is free, can't justify paying for something that is free.
However, the secure LDAP connection from the firewall to Azure seems to be the way to go and adds resilience and remove then need for the on prem RADIUS servers.
Thanks
Stuart
Stuart, the Azure AD authentication with LDAPS needs “Azure AD Domain Service” (AADDS) and it’s not free, the cost is around 100$ / month.