08-11-2020 01:43 AM
Anyone successful setup watchguard firewall with Duo Radius?
I have setup my Duo Proxy
[radius_client]
host=127.0.0.1
port=1812
secret=xxxxxxxxxx
pass_through_all=true
[radius_server_auto]
ikey=xxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxx
api_host=xxxxxxxxxxxxx
radius_ip_1=192.168.36.2
radius_secret_1=xxxxxxx
client=ad_client
pass_through_all=true
failmode=safe
port=18120
Setup NPS on same box
Radius client
Address 127.0.0.1
Shared Secret
Network policy
Grant access
Conditions - user group SSLVPN-Users
PAP
Radius attributes, Standard
Framed-Protocol PPP
Service-Type Framed
Filter-ID - SSLVPN-Users
On watchguard set all radius as per documentation
it does a Duo push - then I get
2020-08-11 09:42:26 admd Authentication of SSLVPN user xxxxx@RADIUS] from 192.168.36.33 rejected, user isn’t in the right group id=“1100-0005”
Does anyone have any suggestions?
Thanks,
Brett
08-20-2020 02:02 PM
Hi @BAB, right now you have the Filter-ID set to SSLVPN-Users. Notice how the response you get says “user isn’t in the right group”? I think the issue here is that you have to specify attribute 11 (filter-id) as the group attribute when using groups for VPN authorization with this configuration. I got this answer from a past discussion on integrating Watchguard and the Duo Authentication Proxy using Radius, which you can check out for more details. Does this help?
11-16-2020 05:46 AM
Hi,
I have the same issue with having attribute 11. I believe this is a Watchguard problem, as there is “Users and Groups” part to specify which users or groups Watchguard must authenticate. Now when I add a user in this section, everything works fine and I get the Duo push and get authenticated by Watchguard. But When I add the group in this part and disable the user(considering that the user is added to this group and config on Duo part is ok too), when I enter the username and password, I get Duo push but when I accept it, Watchguard denies me from connecting by saying that the user is rejected with the same error that was mentioned above. So I want to change from Radius to LDAP to see if anything changes. I will try to update this post when I tried it.
11-16-2020 06:05 AM
ok, I just made it work. So I was missing two things:
sudo firewall-cmd --add-port=1812/udp
sudo firewall-cmd --add-port=18120/udp
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
These two solved my issue and I can authenticate with 2FA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide