Options

Unable to customize VPN user validity configuration

PramodPramod
in Firebox - VPN Mobile User

Hello everyone,

It seems that WG does not support VPN customizations where we can setup VPN users to have them connected over the VPN hourly, daily, monthly and yearly basis.

Also, the password should expire in hourly, daily or monthly basis as well. This works fine in Fortinet firewall. Is this something which is already there or will it be added in the upcoming firmware upgrade?

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Pramod
    Which VPN are you using? SSL, IPSec, IKEv2, or L2TP?

    Unless it's a manual firebox-db user, account passwords are usually handled by the authentication server the firebox is pointed at.

    Currently the VPNs do not enforce "custom sessions."

    -James Carson
    WatchGuard Customer Support

  • Options
    PramodPramod

    Dear James,

    Thanks for reply !!

    As of now we are trying to use SSL VPN with manual firebox-db user only. but we are not able to see option to set user validity in days. ie. for example particular VPN user account should expire after 20 days. where as another user account should get expire after 60 days likewise we need to set.
    is it possible to configure it?

    Thanks & Regards,
    Pramod

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Pramod
    There's no way to configure this on the firebox at this time using firebox-db.

    -James Carson
    WatchGuard Customer Support

  • Options
    PramodPramod

    Dear James,

    Thanks for reply !!

    Is there any chance to add this in feature request or in road map of Watchguard?

    Thanks & Regards,
    Pramod

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Pramod
    Firebox-DB is in place as a basic auth system -- for customers that want capabilities like you mentioned we generally suggest an external authentication server.
    SSLVPN will connect to AD, LDAP, RADIUS, and AuthPoint.

    There is a feature request for password expiration, that is FBX-5118. I do not expect this to be added in the foreseeable future, however.

    -James Carson
    WatchGuard Customer Support

  • Options
    PramodPramod

    Dear James,

    Thanks for reply !!

    Is it possible with external radius server? do you have any idea?
    if yes could you please share procedure for it.

    Thanks & Regards,
    Pramod

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Pramod
    Setting account expiration would be done on that server, not on the firewall -- I'd suggest checking the documentation for whatever RADIUS server you intend on using.

    You can configure RADIUS on the firewall by following the documentation here:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/radius_server_auth_about_c.html

    -James Carson
    WatchGuard Customer Support

Sign In to comment.