SAML login for VPN
Hello,
With the recent enhancements to Azure AD MFA implementing number matching, this would be a huge boost for security with the mobile workforce.
Currently, we can use RADIUS via approve/deny or purchase AuthPoint at an additional license fee and use tokens. For those of us already paying for Azure AD, it would be nice to tie it all in together without another purchase.
Unfortunately RADIUS does not support anything except for approve/deny and that is now being exploited through "MFA fatigue" attacks, where an attacker repeatedly sends MFA requests to your device until you approve. Number matching removes this problem.
more info:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match
1        
            Sign In to comment.                        
                                            
Comments
@JohnathanT Which VPN are you using?
We've added an native authpoint option to the SSLVPN on the firebox -- If you're using that solution, I would suggest checking that out.
(If you'd like to keep that information private, please consider opening a case, and we can get a feature request together, or add your information to an existing one.)
-James Carson
WatchGuard Customer Support
From a feature request stance, having native Azure AD authentication as an option (typically via SAML) would be the best option.
We have quite a few setups where this would be ideal, since having Azure AD Directory Services (AADDS) is quite cost prohibitive just to run a RADIUS server "in cloud", and not all our clients have an on-premise AD setup linked to Azure AD either.
AuthPoint, while WatchGuard "native", doesn't fit the bill for our clients as it's not only another authentication/MFA solution (they already use MFA through Azure AD for their Office 365 access), but as JohnathanT said, if you're already paying for it [Azure AD], it would be nice to not have to buy yet another package.
Sidenote - I believe the Cisco Firepower appliance I had to deploy for a client (they wouldn't accept WatchGuard sadly, this being one of the reasons) does support SAML to Azure AD, although for that setup the project is on hold, so if WatchGuard had this capability, it would be an easier sell to customers/management.
In addition to the cost, the seamless MFA users experience when integrated with Azure AD (and Windows Hello for Business) is not something to be disregarded lightly. You can do MFA login without having to type password or TOTP pin. I have done couple of integrations with virtual Cisco ASA and Cisco FIrepower. The user experience, security, and simplicity are well worth it.
Any advancements on this yet? I see Watchguard supports SAML for login to other products:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_saml_config.html
So the boilerplate code is likely already written, it just needs to be incorporated into the VPN side of things (client and server).
We are now seeing regulatory requirements force us to use attack-resistant MFA (in other words, number matching and not approve/deny). These are being forced on us in the next 9-12 months, and it may mean ditching Watchguard if we need to buy Authpoint on top of our Azure AD subscription.
Hi @JohnathanT
You didn't answer the question about which VPN you're using. I need that information to give you the correct information.
SSLVPN has a feature request that is being worked on to allow SAML login. There are other components that need to be worked on, such as IDP portal compatibility.
The feature request ID you're looking for if you want to use SSLVPN is FBX-22728. If you'd like to follow that issue, please open a support case and leave a comment that you'd like to follow FBX-22728. The tech assigned to the case can set that up for you.
For IKEv2 and L2TP VPN, there are limitations due to the clients that are used that make using SAML difficult/impossible.
-James Carson
WatchGuard Customer Support
We too are using SSLVPN with Entra ID and looking to use SAML for login with the SSLVPN client as Entra ID does not natively support RADIUS but does support SAML. You can use the Microsoft Entra multifactor authentication NPS extension but Microsoft's recommendation is to upgrade your VPN client to SAML instead of relying on the Microsoft Entra multifactor authentication NPS extension.
https://learn.microsoft.com/en-us/entra/architecture/auth-radius
Same here, we are also looking for this feature.
I noticed the 12.11 beta now supports Entra ID for Firebox SSO as well as for the SSL VPN authentication. Looking forward to this release.
https://watchguard.centercode.com/key/12_11_Beta
Now that 12.11.1 is out and does support SAML for SSLVPN authentication since 12.11.0 (albeit on Windows only for now), it would be nice to have a SSLVPN client that utilises existing OS hooks to call the web browser for SAML authentication, rather than having a bundled browser runtime (Edge in the case of the Windows client).
That would be one step closer to true SSO (maybe whatever comes out of the MacOS SSLVPN client development feature request might incorporate it on Windows?), since some users would already have their default browser be able to authenticate such sessions.
Not sure what the architectural/security reasons are for requiring the runtime, but in a way it does isolate the sign on session from whatever the default browser is doing too.
Hi @PhilT_VIT
The SSLVPN is required to pack it's own minimal browser in order to handle modern authentication. Using the default OS' client for browsing isn't feasible.
-James Carson
WatchGuard Customer Support
As an extension of the SAML login for (SSL)VPN request, currently it can only handle one group which is fine for the last small scale deployment I just did (a case of you get or don't get VPN access).
Is it likely/possible to have this extended down the track to have multiple groups since one of the larger deployments I manage uses about 20 or so groups to control what resources a VPN user can access, for which they have corresponding groups in Active Directory (synced to EntraID).
They'd like to leverage the SAML login for the SSL VPN users at least to leverage the modern authentication options around how it handles MFA, rather than relying on the Azure AD extensions for Windows NPS.
Hi @PhilT_VIT
I'd suggest creating a support case about that -- if we can get a better idea of how many groups it would normally encounter and how much work it would be to modify the groups to work for SSLVPN via SAML, it would make a good feature request.
-James Carson
WatchGuard Customer Support