Support for PUSH and OTP within same policy with ldap

rv@kaufmann.dkrv@kaufmann.dk
in AuthPoint - Product Enhancements

Hi,

Would like to see support for both PUSH and OTP within the same AuthPoint policy when using ldap radius authentication up against a firebox with either sslvpn or GUI login.

/Robert

Comments

  • kimmo.pohjoisahokimmo.pohjoisaho

    This is already supported with sslvpn and Fireware 12.7.x AuthPoint integration. Radius is not supported!
    https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ssl-vpn-radius_authpoint.html

  • rv@kaufmann.dkrv@kaufmann.dk
    Radius is supported - i have this working.
    Otp with radius works. Push with radius works. But not if you enable both in the same AuthPoint policy.

    So we have to have AD groups for otp users and groups for push users each with different AuthPoint policies.
  • kimmo.pohjoisahokimmo.pohjoisaho

    from the help:
    "If you enable the push and OTP authentication methods for an authentication policy, RADIUS client resources associated with that policy will use push notifications to authenticate users. For Firebox resources, users can choose which authentication method to use."

    Why don't you use the new Firebox AuthPoint integration resource where you can have both Push and OTP auth?
    are you running a Fireware v12.6.x or lower Firebox device?

  • rv@kaufmann.dkrv@kaufmann.dk
    edited February 2022

    @kimmo.pohjoisaho

    I am on version 12.7.2 and using the new AuthPoint integration, but i have no option anywhere to choose the authentication method in the firebox configuration when i use a radius.

    I asked support and there is a request for this option.

    RFE - AAAS-6139 Allow both OTP and Push for RADIUS resources

    /Robert

  • kimmo.pohjoisahokimmo.pohjoisaho

    Hmm… AuthPoint integration does not use radius!
    With AuthPoint integration the Firebox connects direct to the AuthPoint Cloud with HTTPS

    Are you using AuthPoint Gateway as a radius server?
    i.e. have you configured AuthPoint GW as a radius server in the Fireware Authentication Server settings
    https://www.screencast.com/t/ZhveVQiTLE

    In AuthPoint Configuration and under resource what type is your Firebox connection?
    https://www.screencast.com/t/GJ5glJvWHnv

  • rv@kaufmann.dkrv@kaufmann.dk
    edited February 2022

    @kimmo.pohjoisaho

    Okay, i am confused now.

    Well, mine is very different. Are you using AuthPoint Gateway as a radius server? Yes.

    i.e. have you configured AuthPoint GW as a radius server in the Fireware
    Authentication Server settings

    Yes, under radius i have it setup to the ip adress an dport number the AuthPoint gateway services is running at.

    In AuthPoint Configuration and under resource what type is your Firebox connection?

    Only as a Radius Client where attribute 11 is set to Users active directory groups and NPS radius server to Windows NPS server.

    Total wrong?

  • rv@kaufmann.dkrv@kaufmann.dk

    @kimmo.pohjoisaho

    Waw, you are total right!

    I created a firebox radius client as a resource and made a authpoint policy. Now i get asked, if i want to use pust or OTP with both sslvpn and firebox authentication.

    This has gone wrong on many plans for me. First i had a Watchguard gold partner helping me to setup the first cluster and second i asked support and both parties had it wrong.

  • rv@kaufmann.dkrv@kaufmann.dk

    @kimmo.pohjoisaho

    Now i got it.

    No need for a radius authentication server on the firebox anymore.

    All users and groups must be associated with authentication server AuthPoint (which is created when adding the firebox to the Cloud as a ressource) in the firebox configuration.

    When configuring the firebox as a radius client in Cloud, this is used in the Cloud gateway as a radius ressource which again is used when connecting with ikeV2.

    Am i right?

    /Robert

  • kimmo.pohjoisahokimmo.pohjoisaho

    your terminology is little bit wrong....
    but yes you don’t need the radius in the Firebox configuration or the radius client resource in the AuthPoint cloud anymore

    AuthPoint integration does not use radius protocol, so the Firebox is not a radius client to the AuthPoint Cloud!
    Firebox connects with HTTPS to the Cloud.

    When you use the AuthPoint integration (in AuthPoint Resource settings ; Type = Firebox) you don’t need the AuthPoint Gateway.

    Well, you need the AuthPoint GW to do ldap sync if you have an on-prem AD and when you first time sync your AD users to the AuthPoint Cloud.
    But after this there is no need for the AuthPoint GW and its ldap or radius services when doing MFA authentication.

    With on-prem AD and AuthPoint integration sslvpn authentication the AuthPoint Cloud tells the Firebox to check the user credentials from the AD server with ldap.

    With on-prem AD and AuthPoint integration ikev2 authentication the AuthPoint Cloud tells the Firebox to check the user credentials from the radius NPS server.

    Check the different Authentication Workflows from here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/resources_firebox.html

  • rv@kaufmann.dkrv@kaufmann.dk

    @kimmo.pohjoisaho

    Thank you for this explanation. Very easy to understand. You made my day.
    Thank you.

  • DCcompDCcomp

    Hello, I'm dealing with the same thing. I have firebox T35 with firmware 12.5, so i cannot use AuthPoint for MFA. I set up MFA setting with RADIUS. It works, but when i set policy to push notification, OTP is not working in this policy. When i set policy to OTP only, it works. (add numbers to the end of my password)
    My question is: Is there way to set up working policy for Push and OTP? with radius setting?
    Working with other boxes with authpoint, but for T35 i must use radius...

Sign In to comment.