Comments
-
With multiple AD authentication, I think the only way to do this is with Microsoft NPS Proxy radius. i.e. Firebox sends the authentication request to a NPS radius Proxy, that then sends respective domain to the right AD and its NPS radius server. https://www.youtube.com/watch?v=X_VMAJmotXY
-
you need to change the Login Attribute from the default sAMAccountName to mail. You also need to give a DN of Searching User and its password. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/active_directory_about_c.html
-
Hi Alexandre Could you share how you created the Yubikey seed file, yk-pskc.py, that you refer to in your “Yubikey Hardware Token Integration with AuthPoint” guide.
-
https://www.watchguard.com/support/release-notes/WatchGuard_Cloud/en-US/index.html#en-US/WatchGuard-Cloud/ap_firmware_WGC.html
-
Hi, Yep, Windows sends the windows-credentials as: "DOMAIN\username” notice the capital letters… So if you want to use the "Automatically use my windows logon name and password" mode with the IKEv2. Configure the domain name with capital letters in the radius settings. see attached images.
-
maybe this? https://portal.watchguard.com/wgknowledgebase?type=Article&SFDCID=kA10H000000g2vHSAQ&lang=en_US
-
Yep, it's possible. You can disable it from the CLI Check https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/configure_fb_for_mpvpn_ssl_c_before.html
-
on the customers AD Windows server just configure a Network Policy and Access Services role (NPS) service. How to setup NPS, just google example “windows NPS install” and you will find a lot of How to setup a NPS guides, like this one:…
-
Hi Alexandre I would like to see even easier support for Yubikey, both how to enroll the Yubikey and how to use it…. If you check the following SecurEnvoy & Yubikey youtube video, https://www.youtube.com/watch?v=5oNg9OBOAXY (from: 2:50 - 4:00 min) Is this something maybe also AuthPoint could support?
-
Yubikey Hardware Token Integration with AuthPoint: https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/Yubikey_authpoint.html
-
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2021-00003
-
@ justanotheruser “If I have a Cloud-managed firebox with an existing configuration and I remove it from Cloud management, the firebox will be locally managed but does it use the default configuration or the configuration from the Cloud?” When you remove the firebox from the Cloud-Management, the device continues to run…
-
Is your Firebox device External port configured to use DHCP?
-
Yep, https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/access%20portal/access_portal_reverse-proxy.html
-
Enterprise authentication options only appear if you have configured an Authentication Domain with a RADIUS server. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/access_point/ap_authentication_domains.html
-
You can remove the outgoing D.NAT config and just add an outgoing SMTP policy FROM: 10.1.1.1 TO: Any-External and in Policy’s Advanced Setting configure 1.1.1.1 there as the Source IP
-
You can create a new User and add it as a Device Administrator. Then you can log in and do config save in WSM, just with this Device Admin user… https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/role-based_admin/device-rba_users-roles_c.html
-
your terminology is little bit wrong.... but yes you don’t need the radius in the Firebox configuration or the radius client resource in the AuthPoint cloud anymore AuthPoint integration does not use radius protocol, so the Firebox is not a radius client to the AuthPoint Cloud! Firebox connects with HTTPS to the Cloud.…
-
Hmm… AuthPoint integration does not use radius! With AuthPoint integration the Firebox connects direct to the AuthPoint Cloud with HTTPS Are you using AuthPoint Gateway as a radius server? i.e. have you configured AuthPoint GW as a radius server in the Fireware Authentication Server settings…
-
from the help: "If you enable the push and OTP authentication methods for an authentication policy, RADIUS client resources associated with that policy will use push notifications to authenticate users. For Firebox resources, users can choose which authentication method to use." Why don't you use the new Firebox AuthPoint…
-
This is already supported with sslvpn and Fireware 12.7.x AuthPoint integration. Radius is not supported! https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/firebox-ssl-vpn-radius_authpoint.html
-
To change the IKEv2 vpn from Forced tunnel (default mode) to Split tunnel is more a Windows 10 configuration than Firebox configuration…. Open PowerShell (Run as admin) and change IKEv2 to split mode and add the on-prem network routes. Set-VpnConnection “WG IKEv2” -SplitTunneling $true Add-VpnConnectionRoute “WG IKEv2”…
-
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/
-
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/
-
Do your mpls networks browse out to the internet through your Firebox?
-
Then the problem can be that the mpls networks don’t have route back to your firebox...
-
How is your sslvpn route configured? Try with the “Force all client traffic through tunnel” config or “Specify allowed resources” config and add all the necessary networks…
-
Microsoft confirmed on Thursday that "Certain IPSEC connections might fail" and that they will fix the issue in an upcoming release of Windows. "After installing KB5009543, IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet…
-
sslvpn client doesn't support ms-chapv2, only PAP ikev2 and L2TP vpn clients support ms-chapv2
-
seems to be a microsoft problem... https://www.reddit.com/r/sysadmin/comments/s1oqv8/kb5009543_january_11_2022_breaks_l2tp_vpn/