SAML login for VPN
Hello,
With the recent enhancements to Azure AD MFA implementing number matching, this would be a huge boost for security with the mobile workforce.
Currently, we can use RADIUS via approve/deny or purchase AuthPoint at an additional license fee and use tokens. For those of us already paying for Azure AD, it would be nice to tie it all in together without another purchase.
Unfortunately RADIUS does not support anything except for approve/deny and that is now being exploited through "MFA fatigue" attacks, where an attacker repeatedly sends MFA requests to your device until you approve. Number matching removes this problem.
more info:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match
1
Sign In to comment.
Comments
@JohnathanT Which VPN are you using?
We've added an native authpoint option to the SSLVPN on the firebox -- If you're using that solution, I would suggest checking that out.
(If you'd like to keep that information private, please consider opening a case, and we can get a feature request together, or add your information to an existing one.)
-James Carson
WatchGuard Customer Support
From a feature request stance, having native Azure AD authentication as an option (typically via SAML) would be the best option.
We have quite a few setups where this would be ideal, since having Azure AD Directory Services (AADDS) is quite cost prohibitive just to run a RADIUS server "in cloud", and not all our clients have an on-premise AD setup linked to Azure AD either.
AuthPoint, while WatchGuard "native", doesn't fit the bill for our clients as it's not only another authentication/MFA solution (they already use MFA through Azure AD for their Office 365 access), but as JohnathanT said, if you're already paying for it [Azure AD], it would be nice to not have to buy yet another package.
Sidenote - I believe the Cisco Firepower appliance I had to deploy for a client (they wouldn't accept WatchGuard sadly, this being one of the reasons) does support SAML to Azure AD, although for that setup the project is on hold, so if WatchGuard had this capability, it would be an easier sell to customers/management.
In addition to the cost, the seamless MFA users experience when integrated with Azure AD (and Windows Hello for Business) is not something to be disregarded lightly. You can do MFA login without having to type password or TOTP pin. I have done couple of integrations with virtual Cisco ASA and Cisco FIrepower. The user experience, security, and simplicity are well worth it.
Any advancements on this yet? I see Watchguard supports SAML for login to other products:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/sso_saml_config.html
So the boilerplate code is likely already written, it just needs to be incorporated into the VPN side of things (client and server).
We are now seeing regulatory requirements force us to use attack-resistant MFA (in other words, number matching and not approve/deny). These are being forced on us in the next 9-12 months, and it may mean ditching Watchguard if we need to buy Authpoint on top of our Azure AD subscription.
Hi @JohnathanT
You didn't answer the question about which VPN you're using. I need that information to give you the correct information.
SSLVPN has a feature request that is being worked on to allow SAML login. There are other components that need to be worked on, such as IDP portal compatibility.
The feature request ID you're looking for if you want to use SSLVPN is FBX-22728. If you'd like to follow that issue, please open a support case and leave a comment that you'd like to follow FBX-22728. The tech assigned to the case can set that up for you.
For IKEv2 and L2TP VPN, there are limitations due to the clients that are used that make using SAML difficult/impossible.
-James Carson
WatchGuard Customer Support
We too are using SSLVPN with Entra ID and looking to use SAML for login with the SSLVPN client as Entra ID does not natively support RADIUS but does support SAML. You can use the Microsoft Entra multifactor authentication NPS extension but Microsoft's recommendation is to upgrade your VPN client to SAML instead of relying on the Microsoft Entra multifactor authentication NPS extension.
https://learn.microsoft.com/en-us/entra/architecture/auth-radius
Same here, we are also looking for this feature.
I noticed the 12.11 beta now supports Entra ID for Firebox SSO as well as for the SSL VPN authentication. Looking forward to this release.
https://watchguard.centercode.com/key/12_11_Beta