Utilize AuthPoint with Firebox-DB
Would be very neat if we could utilize Firebox-DB for AuthPoint, especially for smaller clients who don't have AD or have the need to run a Radius server (In a P2P environment).
2
Sign In to comment.
Comments
I agree.
Gregg Hill
Hi @CrazyCDN
You can't use FIrebox-DB, however you can make users on Authpoint manually, which will accomplish the same thing: Having the user exist without an LDAP server.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/add-users-manually.html
*Note that this will not work for office 365, as that type of account requires a UUID made by an active directory server.
-James Carson
WatchGuard Customer Support
James,
I must be missing something here. How does having a manually-added user in AuthPoint allow someone to log into the firewall with 2FA, if there are no Firebox-DB users that match? Or is that not what you meant by "You can't use FIrebox-DB"?
Gregg Hill
Hi Greg,
You'd have to use a manual user list in Authpoint, but it doesn't require AD. It's basically the firebox-db but in the cloud.
-James Carson
WatchGuard Customer Support
So how would that AuthPoint cloud database tie into a login attempt on the Firebox to do 2FA?
Gregg Hill
Hi Greg.
Firebox-DB would not tie in, you would need to use the Authpoint database instead. This would, however, allow you to use MFA without having an agent or having an AD server, which is what the customer mentioned was the limiting factor.
-James Carson
WatchGuard Customer Support
James,
I use my Windows RADIUS server in Active Directory and Duo 2FA with my SSLVPN. I log into my Firebox, then it does its 2FA and I get a push notice in Duo on my phone. I OK it, and the SSLVPN connects.
In a non-AD, non-RADIUS setup such as the OP mentioned, I cannot grasp how AuthPoint would be the second factor if it has no tie-in to the Firebox I am logging into for the SSLVPN. With what you described, what would be the SSLVPN login process?
Gregg Hill
Hi Greg, SSLVPN would connect via RADIUS (The Authpoint Gateway acts as the local radius server.)
-James Carson
WatchGuard Customer Support
Hmm. I am going to have to fix my AuthPoint setup and test it. It says my licenses are expired or something like that. Haven't looked it for a while, but it works with logging into this site and the support site.
Gregg Hill
With a local Gateway as RADIUS server this works indeed as it's not dependent on AD. I'd recommend naming your AuthPoint group case sensitive "SSLVPN-Users" as that's the default group being used by the Firebox. Once that works you can change it on both ends if you like.
AuthPoint support directly inside the Firebox, without the need of the AuthPoint Gateway, is coming up in Q4. Stay tuned!
Now you're just talking dirty to me.
Will this be in a Fireware beta, or a separate AuthPoint beta?
Gregg Hill
My situation is: I must enable both firebox-db and authpoint (no AD) because client requirements. This is what happens: If i activate firebox as default, users at firebox-db are authenticated and authpoint users don´t, If I activate authpoint as default, users at authpoint are authenticated and firebox-db don´t.
Question: Is there any step that I miss or isn´t possible to have this two authentication methods, simultaneously?
Users who uses the secondary auth. server needs to type the auth. server name/domain, backlash (), followed by the user name:
example:
Firebox-DB\Username
RADIUS\Usernames or AuthPoint\Username
(You must type the domain name specified in the RADIUS settings on Firebox)
@Kimmo said:
Do you know if there is official listed documentation to setting up just firebox-db 2FA?
Firebox doesn’t support 2FA/MFA with Firebox-DB users.
Now the only way to get 2FA/MFA is to use Radius.
example with AuthPoint you create local users to the AuthPoint.
(you don’t need to create the users to the Firebox-DB)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/add-users-manually.html
Then you need to use Radius as the authentication server. Install the AuthPoint GW, etc…
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ssl-vpn-radius_authpoint.html
Thanks @Kimmo I miss that