Authpoint push notifications don't work on my device, any alternatives?

edited September 2020 in AuthPoint - General

My job recently required me access a new watchguard VPN system from home, which is configured to use authtpoint for authentication. My only mobile device is a personal phone that runs LineageOS, a fork of Android. I've managed to install the authpoint APK and the application activated successfully. It continuously generates tokens, as I would expect. So far so good.

However whenever I try to log-in using my credentials I am always denied access. The watchguard login process is failing silently and without explanation. After many futile attempts to get it to work with IT staff, I transferred the activation to someone else's mobile phone and that started working.

I'll be quite unhappy if I'm forced to buy a second phone or have to call and bother someone else every time I want to log in for work. Neither of those is reasonable to me, so my question to anyone who is more familiar with these products: do I have any other options? Is there any way for me to login using the tokens that I see generated in the authpoint application?

I notice that push status says 'outdated'. Is watchguard authpoint always hard-coded to use google services or is there a way to use an independent provider? In the authpoint application there's a button for "Check for pending push notifications", which seems like it would be ideally suited to poll for new authentication request even in the absence of push notifications, however it merely reports "there are no pending notifications" even as I am requesting authentication.

I looked for my issue in the forums but couldn't find anything...I really hope someone has a workaround. In the meantime someone else will probably have to authorize me using their phone. One more question: if it comes to it and I'm forced to buy another phone to use watchguard vpn, does it have to have a sim card and associated monthly expenses or will it work with just wifi?

Comments

  • You don't need a sim , phone needs just internet i.e. WiFi
  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LGosselin
    The phone will need to be able to hook into to Google or Apple's push services in order to get notifications. LineageOS isn't an OS we support, so no testing has been done on it. I'm unaware if it supports hooking into Google's services. My assumption (based on your experiences, and customers attempting to side-load onto Amazon Fire devices) is that it can't.

    We do support hardware tokens, if you'd prefer to go that route. The easiest way to accomplish that are the hardware tokens, which you can find more about here:
    https://www.watchguard.com/wgrd-products/authpoint/hardware-tokens

    You can also use 3rd party tokens, but those require your admin imports a seed file into the authpoint administration page.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/tokens_hardware.html

    You'd need to append the OTP to your password, so if your password is 'password' and your OTP is '123456' you'd enter 'password123456' in your password field for the VPN.

    Finally, if you're using SSLVPN your admin is going to need to have users that auth via OTP instead of push in a different group and access policy so that authpoint is expecting the key appended to your password.

    I would encourage you to contact your admin whom can open a support ticket with our support team to get assistance with any of this should they need assistance.

    -James Carson
    WatchGuard Customer Support

  • Hi James, thank you for responding.

    The Android Open Source Project (AOSP) excludes google's proprietary products and services. Since Authpoint has a hard dependency on google proprietary services, it won't work for users like me who prefer the open source forks of android.

    I wish you would support alternatives because it's quite frustrating to have to work login requirements override my choice of OS on what is supposed to be my personal phone.

    Anyways, I'll see what they say about the hardware tokens.

    Can the tokens that are generated onscreen in the Authpoint application be used instead of a separate hardware token?

    Thanks again

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LGosselin
    Yes, you can even have multiple tokens -- they just have to be assigned to you by the admin for your site.

    It is possible that the OTP tokens on the authpoint app -might- work -- but since it's not a supported OS, I don't want to guarantee that it will. If the admin puts you into a group that has the SSLVPN's access policy set to OTP instead of push, it may work with the phone app and OTP as I described before (password+otp in the password field.)

    -James Carson
    WatchGuard Customer Support

  • I ended up having to get another device. We tried the password+token authentication as suggested above, but it didn't work even with a vanilla android device. The support staff didn't want to open a trouble ticket with WatchGaurd, so I didn't have much choice.

    To anyone else trying to run Authpoint on an android fork, the android version of Authpoint uses push notifications that are dependent on google services. As for the token generator, that might have worked, but my advice is to make sure IT is willing to support that configuration on their end first.

    Anyways thank you for trying to assist, I guess it is unlikely to happen, but it would be nice if Authpoint would run without google services to support 3rd party android forks.

  • @LGosselin said:
    My job recently required me access a new watchguard VPN system from home, which is configured to use authtpoint for authentication. My only mobile device is a personal phone that runs LineageOS, a fork of Android. I've managed to install the authpoint APK and the application activated successfully. It continuously generates tokens, as I would expect. So far so good.

    However whenever I try to log-in using my credentials I am always denied access. The watchguard login process is failing silently and without explanation. After many futile attempts to get it to work with IT staff, I transferred the activation to someone else's mobile phone and that started working.

    I'll be quite unhappy if I'm forced to buy a second phone or have to call and bother someone else every time I want to log in for work. Neither of those is reasonable to me, so my question to anyone who is more familiar with these products: do I have any other options? Is there any way for me to login using the tokens that I see generated in the authpoint application?

    I notice that push status says 'outdated'. Is watchguard authpoint always hard-coded to use google services or is there a way to use an independent provider? In the authpoint application there's a button for "Check for pending push notifications", which seems like it would be ideally suited to poll for new authentication request even in the absence of push notifications, however it merely reports "there are no pending notifications" even as I am requesting authentication.

    I looked for my issue in the forums but couldn't find anything...I really hope someone has a workaround. In the meantime someone else will probably have to authorize me using their phone. One more question: if it comes to it and I'm forced to buy another phone to use watchguard vpn, does it have to have a sim card and associated monthly expenses or will it work with just wifi?

    Yeah without an APP you either have to get a hardware token or get a phone that supports AuthPoint.... unless WG changes otherwise

  • edited December 2020

    Yeah without an APP you either have to get a hardware token or get a phone that supports AuthPoint.... unless WG changes otherwise

    To be clear, you can install the app and it runs just fine on LineageOS. The problem is that the app itself is programmed to require a connection via google play services. I don't like that Watchguard has outsourced this critical functionality to google, but that's the way they wrote it leaving 3rd party android forks out in the cold. It forced me to get another phone just to log in.

This discussion has been closed.