M200 with Duo Security 2FA
M200 with 12.5.2, NPS Win Server 2016.
Trying to seet up 2FA with Duo Security, following instructions at https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/duo-security-authentication.html
and https://duo.com/docs/radius
All almost to be working: NPS RADIUS event viewer server shows access granted, Duo mobile push is showing up on mobile. As soon as I tap allow on Duo, I get disconnected.
Here's what it looks like:
admd Authentication of L2TPVPN user [myusername@RADIUS] from myIP was accepted msg_id="1100-0004"
l2tp [:00834,sess_change_event_handler]: (l2tp) l2tp-sess: failed to find node with virtual IP:0.0.0.0
If I remove the Duo Auth Proxy, it works:
sessiond L2TP VPN user myusername@RADIUS from myIP logged in assigned virtual IP is 10.0.4.2 msg_id="3E00-0002"
filter-id is L2TP-Users, account is not in a nested group, duo auth proxy is set to pass all radius parameter.
It seems that when using Duo, it can't assign virtual IP then it disconnects.
Is the M200 compatible with Duo 2FA?
Comments
Duo 2FA works for the :4100 login page, the SSLVPN login page, and for SSLVPN. It does NOT work for IKEv2 VPN. I have not tested it with L2TP, but it may be related to the issues with IKEv2 VPN.
Gregg Hill
I'm not using Ikev2, what's the issue with it?
Will have to test the sslvpn tonight when there are no users. I'll submit a case if the sslvpn doesn't work.
For IKEv2 VPN, the Duo agent does not return the proper information to work. See https://community.duo.com/t/is-duo-compatible-with-watchguard-ikev2-vpn-using-mschapv2/6454
Duo was working on it and released a new agent recently, but I have not had time to test.
If L2TP also uses MSCHAPv2, then it could be related.
Gregg Hill
Thanks for the direction to use ss lvpn, Greg. I got the ssl vpn to work with Duo.
Currently using the latest duo auth proxy, it doesn't work with mschapv2, which is the l2tp in the M200 is using for authentication to the nps radius.
Would be nice if it works, because I use the l2tp for sysadmins, the regular users go the ssl vpn.
Thank you.
AuthPoint works for both SSLVPN and IKv2 VPN.
Gregg Hill
Hi @Goose
The issue is the authentication protocol each VPN type uses. The firewall just passes it along when a external authentication server is in use. Duo specifically doesn't support some iterations of MSCHAP.
If you'd like to use MFA that does support MSCHAPv2, which is what the built in windows client uses for some of the VPNs, our MFA suite (AuthPoint) does do this. If you'd like to use Duo, I'd suggest making a feature request with them to support that.
-James Carson
WatchGuard Customer Support
James,
Duo already is working on getting their 2FA to work with WatchGuard's MSCHAPv2. I have an open support case with them on it.
Yes, AuthPoint works flawlessly with both SSLVPN and IKEv2 VPN. Possibly L2TP???
Gregg Hill
@Greggmh123 Where does your ticket stand with resolving this? I have been watching this for a while hoping that they would get it to working.
@dustinsjvt , I have no idea. I just emailed them about it. Thank you for the reminder.
Gregg Hill
@dustinsjvt ,
The response I got was that a new version that should fix the issue is being released today, August 17th. "You can download the new release after 3 PM Eastern today, once you see the release notes for v5.0.0 published at https://duo.com/docs/authproxy-notes."
So, I'll test that in a little over three hours from the time of this post (8:44AM PDT).
Gregg
Gregg Hill
Whoo hoo! It works!
Gregg Hill
@Greggmh123 That is fantastic news!
Does someone have an active working setup for watchguard ssl working with duo? Really struggling to get it working with radius or ldap proxy.
I have my SSLVPN and IKEv2 VPN both working with both Duo and AuthPoint and Windows 2019 Server's NPS (RADIUS) server. I have it working with both my T35 and T20.
What problems are you having?
Gregg Hill
Thank you for the reply. I tried Radius proxy to our local radius server, when i connect with the SSLVPN app i get the duo prompt on my 2fa device, authorize it but SSLVPN doesn't connect and times out. according to most of the posts about this it suggests the id 11 isn't being pass and use passthrough which i am doing and I followed the watchguard guide to the letter (99% sure) so not sure where its falling down.
I see the auth attempt in the proxy log (can provide) and i see the nps request and accepting on the nps server, so its something after this I think.
ok after spending a few hours with the duo tech guys (really helpful guys btw) and going through troubleshooting etc... it seems like its a routing issue between subnets as the vpn server i was testing with is on another network and for some reason not receiving the reply from the duo proxy. Haven't tracked down that issue yet to see if its the proxy or something else but in case anyone else ever has the problem it could be that.
"it seems like its a routing issue between subnets as the vpn server i was testing with is on another network"
Hmm. Isn't that the whole point of a VPN, i.e., to run on another network? I can connect to mine "internally" from any VLAN I allow, from the Trusted network, or from any external site. I test with my laptop using my cell phone as a hotspot to get outside access testing.
What are your authproxy.cfg file contents? Mine looks like this (the port is non-standard because Duo and NPS are on the same server):
;[Main]
;debug=true
[radius_client]
host=192.168.16.11
secret_protected=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pass_through_all=true
[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxx
api_host=api-xxxxxxxxxxxxxxx.duosecurity.com
radius_ip_1=192.168.16.1
radius_secret_protected_1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
failmode=safe
client=radius_client
port=1821
pass_through_all=true
In my AD, I have a user group named to match the WatchGuard "SSLVPN-Users" group. I have my NPS server set with:
Conditions tab:
Authentication Type = PAP
User Groups = Domainname\SSLVPN-Users
Settings tab:
Filter-ID = SSLVPN-Users
Framed-Protocol = PPP
Service-Type = Framed
Gregg Hill
Sorry Gregg, perhaps I didn't explain it well. The watchguard firebox VPN server was on a different network than the duo proxy. The firebox I was using for my test is in a datacenter which that has a branch office vpn to our main office (where the duo proxy is installed) the moment i installed a proxy at the DC using the same config (slight ip changes) everything then worked.
Only thing i could see was that the external IP of the firebox was being presented to the proxy and this is probably why it could never send the authentication approved message.
so this is the part that causes the issue:
[radius_server_auto]
radius_ip_1=
The moment I moved duo proxy to the other network and updated it to the internal IP of the firebox all worked as expect. So I need to look at how to make the firebox pass its internal IP or perhaps a domain name and have it resolve internally on the network.
Hi Guys,
I still have the problem with L2TP and DUO. SSL works fine.
I'm using DUO 5.1.0.
Is your L2TP working on DUO?
what problem/errors are you having? are you getting the duo prompt for example?
You should install the current version of Duo from here https://dl.duosecurity.com/duoauthproxy-latest.exe
As of today, March 25, 2021, that is 5.2.1 version. I have been using 5.2.0 with SSLVPN and IKEv2 VPN without issue. I don't use L2TP VPN.
Gregg Hill