Authpoint Mobile VPN IKEv2

Hello,

I have some difficulties to configure Authpoint with Mobile VPN IKEv2.

At the moment, Authpoint works very well with our Portal, Office 365 and VPN SSL.

I want to switch our VPN to IKEv2 .

I configured Mobile VPN, set to use Radius server (Watchguard Gateway).
Group are the same as VPN SSL, but i also added single user too as test (on Radius server).

But everytime i try to connect, Watchguard M270 logs are the same :

2020-03-05 11:52:00 admd Authentication of MUVPN user [firstname.lastname@RADIUSSERVER] from xxx.xxx.xxx.xxx was rejected, received an Access-Reject response from the (192.168.xx.xx) server msg_id="1100-0005" Event

I cannot figure out where is the configuration problem, and why i get an Access-Reject.

As the Authpoint Gateway logs are not very explicit, it s quite difficult to debug. The only log i get from Gateway is :

020-03-05 11:53:03 INFO [pool-1-thread-6] c.w.a.r.s.AuthenticationService - Authentication request received - HttpStatus: 401 - Request-Id:8687b33c-8be2-4322-a43f-7ba73db841cc

2020-03-05 11:53:03 INFO [pool-1-thread-6] c.w.a.r.flow.AuthenticationFlowImpl - Authentication denied - Protocol: MSCHAPV2 - Username: firstname.lastname - ResourceId: 7224. - Request-Id:8687b33c-8be2-4322-a43f-7ba73db841cc

Any idea ?

Thanks by advance,

BV

Comments

  • You need to join following AuthPoint beta:
    https://watchguard.centercode.com/key/mschapv2

    with AD synced users in AuthPoint, the IKEv2 password (MS-CHAPv2) needs to be checked from AD via the local NPS radius server.
    in your local NPS radius server you need to configure AuthPoint GW as the Radius Client and configure a IKEv2 network policy.
    So AuthPoint GW is radius server to Firebox and radius client to NPS.

  • Hi again,

    So i followed the documentation here :

    https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ikev2-vpn-radius_authpoint.html

    Firebox up to date
    Authpoint Gateway and NPS on same server (NPS listening on different port then 1812).
    Authpoint configured with MS-Chapv2..

    But, no MFA request coming on phone.

    But, i have the following errors on my NPS server (Windows Server 2012 R2) :
    (translated from french, sorry for any mistake) :

    A RADIUS message was received from IP_Address from RADIUS Client non valid.

    In documentation, it is specified that the configuration was done on a 2016 Server... Could it be possible that 2012 R2 is not compatible ?

    Thanks

    BV

  • In nps server the radius client has to pointing to the authpoint gatewsy IP i.e. in yorur configuration to the same IP as the nps server.
  • edited March 2020

    "Firebox up to date" OK, so you have 12.5.3 installed. Please always provide the exact version you have because you may post in the morning and by the afternoon, the version may have changed, as it did with 12.5.3 yesterday.

    In the WatchGuard Cloud AuthPoint setup, your "RADIUS client trusted IP or FQDN" needs to be the LAN IP or FQDN of the Firebox.

    "NPS RADIUS Server trusted IP or FQDN" should be the LAN IP or FQDN of your NPS server.

    On your NPS server (works with Server 2008 R2 through Server 2019), you need a RADIUS Client with the LAN IP or FQDN of the NPS server.

    On the NPS server, you need a Network Policy. On the Constraints tab, enable only MSCHAPv2. On the settings tab, add a Filter-Id of "IKEv2-Users" and then create an active directory group by the same name. OR, you can use any group name you want in AD, and just add that name in the Filter-ID, then set the Firebox to use that name. I like using the built-in "IKEv2-Users" name because it makes for a cleaner config.

    Gregg Hill

  • Hey,

    Thanks for answer, i got it working. Had a (crappy) Symantec Endpoint Protection who was the root of the problem. Fixed it :)

    Thanks everyone for answers.

    BV

Sign In to comment.