Default Radius Interface
Hey All,
I have a branch office firebox with a VPLS point to point and a backup Ikev2 Lan 2 LAN VPN setup. I Utilize SDWAN between the sites. I'm running version 12.6.4. I have RADIUS setup for authentication to manage the firebox as well as a backup VPN entry point. The RADIUS server is MS NPS.
My question is I noticed all Radius communication comes from the IP addresses for the VPLS interface and the BoVPN interface. So in NPS I've had to setup the authenticated client to be from either interface in case of traffic failover. Is there a way to to have the firebox communicate from another VLAN that is more specific to management functions as well as making it so I have only one client device in NPS? Or is it choosing what interface to use based on the route table and I'm just stuck with 2 device clients in NPS for each interface address that RADIUS might come from.
Thanks for any help.
Comments
Hi @AschildmeyerSTR
If you'd like to direct firebox generated traffic, you can expose the "any from firebox" rule and make custom polices above it.
See:
(About Policies for Firebox-Generated Traffic)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policies_firebox_generated_traffic_about.html
In the rules you generate, you can specify the interface it leaves (via custom SD-WAN policy) and the IP that it leaves as (in NAT settings.) I'd suggest making very specific rules on specific ports when adding rules here, to ensure you don't accidentally catch any other traffic in your rule.
-James Carson
WatchGuard Customer Support
ah, that makes sense. I forget the amount of traffic manipulation you can do with the policies these days. Thanks for the help James.