Utilize AuthPoint with Firebox-DB

Would be very neat if we could utilize Firebox-DB for AuthPoint, especially for smaller clients who don't have AD or have the need to run a Radius server (In a P2P environment).

Comments

  • I agree.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @CrazyCDN
    You can't use FIrebox-DB, however you can make users on Authpoint manually, which will accomplish the same thing: Having the user exist without an LDAP server.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/add-users-manually.html

    *Note that this will not work for office 365, as that type of account requires a UUID made by an active directory server.

    -James Carson
    WatchGuard Customer Support

  • James,

    I must be missing something here. How does having a manually-added user in AuthPoint allow someone to log into the firewall with 2FA, if there are no Firebox-DB users that match? Or is that not what you meant by "You can't use FIrebox-DB"?

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg,

    You'd have to use a manual user list in Authpoint, but it doesn't require AD. It's basically the firebox-db but in the cloud.

    -James Carson
    WatchGuard Customer Support

  • So how would that AuthPoint cloud database tie into a login attempt on the Firebox to do 2FA?

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg.

    Firebox-DB would not tie in, you would need to use the Authpoint database instead. This would, however, allow you to use MFA without having an agent or having an AD server, which is what the customer mentioned was the limiting factor.

    -James Carson
    WatchGuard Customer Support

  • James,

    I use my Windows RADIUS server in Active Directory and Duo 2FA with my SSLVPN. I log into my Firebox, then it does its 2FA and I get a push notice in Duo on my phone. I OK it, and the SSLVPN connects.

    In a non-AD, non-RADIUS setup such as the OP mentioned, I cannot grasp how AuthPoint would be the second factor if it has no tie-in to the Firebox I am logging into for the SSLVPN. With what you described, what would be the SSLVPN login process?

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg, SSLVPN would connect via RADIUS (The Authpoint Gateway acts as the local radius server.)

    -James Carson
    WatchGuard Customer Support

  • Hmm. I am going to have to fix my AuthPoint setup and test it. It says my licenses are expired or something like that. Haven't looked it for a while, but it works with logging into this site and the support site.

    Gregg Hill

  • MartijnNMartijnN WatchGuard Representative

    With a local Gateway as RADIUS server this works indeed as it's not dependent on AD. I'd recommend naming your AuthPoint group case sensitive "SSLVPN-Users" as that's the default group being used by the Firebox. Once that works you can change it on both ends if you like.

  • AuthPoint support directly inside the Firebox, without the need of the AuthPoint Gateway, is coming up in Q4. Stay tuned!

  • @Alexandre_Cagnoni said:
    AuthPoint support directly inside the Firebox, without the need of the AuthPoint Gateway, is coming up in Q4. Stay tuned!

    Now you're just talking dirty to me.

    Will this be in a Fireware beta, or a separate AuthPoint beta?

    Gregg Hill

  • edited February 2020

    My situation is: I must enable both firebox-db and authpoint (no AD) because client requirements. This is what happens: If i activate firebox as default, users at firebox-db are authenticated and authpoint users don´t, If I activate authpoint as default, users at authpoint are authenticated and firebox-db don´t.
    Question: Is there any step that I miss or isn´t possible to have this two authentication methods, simultaneously?

  • Users who uses the secondary auth. server needs to type the auth. server name/domain, backlash (), followed by the user name:
    example:
    Firebox-DB\Username
    RADIUS\Usernames or AuthPoint\Username
    (You must type the domain name specified in the RADIUS settings on Firebox)

  • @Kimmo said:

    Users who uses the secondary auth. server needs to type the auth. server name/domain, backlash (), followed by the user name:
    example:
    Firebox-DB\Username
    RADIUS\Usernames or AuthPoint\Username
    (You must type the domain name specified in the RADIUS settings on Firebox)

    Do you know if there is official listed documentation to setting up just firebox-db 2FA?

  • Firebox doesn’t support 2FA/MFA with Firebox-DB users.
    Now the only way to get 2FA/MFA is to use Radius.

    example with AuthPoint you create local users to the AuthPoint.
    (you don’t need to create the users to the Firebox-DB)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/add-users-manually.html

    Then you need to use Radius as the authentication server. Install the AuthPoint GW, etc…
    https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ssl-vpn-radius_authpoint.html

  • @Kimmo said:
    Users who uses the secondary auth. server needs to type the auth. server name/domain, backlash (), followed by the user name:
    example:
    Firebox-DB\Username
    RADIUS\Usernames or AuthPoint\Username
    (You must type the domain name specified in the RADIUS settings on Firebox)

    Thanks @Kimmo I miss that :smile:

Sign In to comment.