Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18753
Views
1
Helpful
21
Replies

Duo integration with Watchguard Mobile SSLVPN

BenjaminC1341
Level 1
Level 1

‎04-27-2017 11:06 AM

Wondering if anyone has implemented Duo authentication with a WatchGuard Mobile SSLVPN.

WatchGuard has an implementation PDF but it lists the requirements as being an actual RADIUS server for primary authentication. http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf

I’ve configured a similar setup using a SonicWALL TZ series following the generic RADIUS application configuration from Duo but using AD for primary authentication.

Does the proxy not abstract whatever is being used as the primary authentication so it doesn’t matter whether it is RADIUS or AD?

Labels:
0 Helpful
21 Replies 21

DuoKristina
Cisco Employee
Cisco Employee
In response to Ehsan_Rahimi

‎11-18-2020 08:41 AM

I am not sure if I understand your question.

If the Duo Authentication Proxy acts as a RADIUS server, then that RADIUS configuration can in-turn use either LDAP or RADIUS for primary authentication (or not try to perform primary auth at all).

If the Duo Authentication Proxy acts as an LDAP server, then that LDAP configuration can ONLY use LDAP for primary authentication.

The solution @tfridlington describes in this post has the Duo proxy configured for LDAP connections from WatchGuard, so then it must also be using LDAP for primary auth to AD or another LDAP directory.

Duo, not DUO.

BAB2
Level 1
Level 1

‎08-10-2020 03:17 AM

Connect to server: Ok (connected to 192.168.36.212)

Log in (bind): Failed (user xxxxxxxx@LDAP is not authenticated[user doesn’t exist, check your username])

Get group membership:

It seems to put @LDAP after all the time.

So frustrating still cant get this working Watchguard with LDAP anyone have any ideas

08-10T11:19:13+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x043CA040>
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] S<-C LDAPMessage(id=1, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth=‘’, sasl=False), controls=None)
2020-08-10T11:19:13+0100 [Uninitialized] Connection made between client: 192.168.36.2:40317 and the server section listening via 192.168.36.212:1815.
2020-08-10T11:19:13+0100 [Uninitialized] C->S LDAPMessage(id=4, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth='’, sasl=False), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=4, value=LDAPBindResponse(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] [Request from 192.168.36.2:40317] Exempt OU: CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=1, value=LDAPBindResponse(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] S<-C LDAPMessage(id=2, value=LDAPSearchRequest(baseObject=‘DC=XX,DC=local’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=10, typesOnly=0, filter=LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=‘cn’), assertionValue=BEROctetString(value=‘userxx’)), attributes=[b’*’, b’memberOf’]), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] C->S LDAPMessage(id=5, value=LDAPSearchRequest(baseObject=‘DC=XX,DC=local’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=10, typesOnly=0, filter=LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=‘cn’), assertionValue=BEROctetString(value=‘userxx’)), attributes=[b’*’, b’memberOf’]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://DomainDnsZones.XX.local/DC=DomainDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://DomainDnsZones.XX.local/DC=DomainDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://ForestDnsZones.XX.local/DC=ForestDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://ForestDnsZones.XX.local/DC=ForestDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://XX.local/CN=Configuration,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://XX.local/CN=Configuration,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=LDAPSearchResultDone(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=LDAPSearchResultDone(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] S<-C LDAPMessage(id=3, value=LDAPUnbindRequest(), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] C->S LDAPMessage(id=6, value=LDAPUnbindRequest(), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] Closing the connection between the downstream application and the Authentication Proxy. Reason: Connection was closed cleanly.
2020-08-10T11:19:13+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x043CA040>

Thanks,
B

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to BAB2

‎08-12-2020 01:04 PM

The proxy is performing an ldap search for the user whose CN is userxx, and is receiving no results. Maybe you need to select a different login attribute to match the value?

Duo, not DUO.
0 Helpful

MtnDew213
Level 1
Level 1

‎01-28-2021 05:11 PM

Anyone active on the post that managed to get watchguard vpn working with duo that wouldnt mind helping out?

0 Helpful

tfridlington
Level 1
Level 1

‎01-28-2021 05:31 PM

Sorry, it’s been a while, and I’m nowhere near a Watchguard these days. But if I recall, I set it up as AD auth from Watchguard → proxy, then LDAP from proxy → DC. With those particular switches configured in the proxy configuration. Hope it helps.

0 Helpful

MtnDew213
Level 1
Level 1

‎02-01-2021 01:22 AM

Thanks, it seems like our issue was due to the watchguard vpn server being on a different network to the duo proxy.

0 Helpful

ruibenavente
Level 1
Level 1

‎07-29-2021 08:35 AM

Hi,

I’m trying to implement the configuration achieved by @tfridlington but without sucess.

Can please someone inform the configs for DUO Proxy and for Watchguard for ActiveDirectory/LDAP as first form of authentication and DUO as second form?

DUO Proxy
;Clients

;Servers

Watchguard
;Server for Authentication

Thank you a lot!
Rui

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents