cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4973
Views
0
Helpful
6
Replies

Duo Watchguard SSL VPN

Honeypot
Level 1
Level 1

Hi, we’re a university that is already using Duo Security for campus wide, but for my purpose we’re a small department that uses different user name than the campus-wide uses.
I’m using Watchguard M200 for VPN access, along with NPS / AD for authentication. This is working great, but I’d like to add Duo Security as mfa.

I followed both WG guide and Duo RADIUS guide, but I’m having connection problem.

Everything seems to be working as intended (vpn is connecting, I get prompted on my mobile to approve/deny the connection request) until I tap on Duo mobile green checkbox, then I get disconnected. The error on the WG device is ‘user isn’t in the right group’.
The problem seems to be very identical to this post..

I tested some more by connecting the Duo Auth Proxy radius to NPS. The event viewer on the NPS confirms the connection is access granted, but the WG disconnects. This tells me NPS authentication server approves the login with correct user and password, but WG device did not get the message of approval.

I believe the problem is the Duo Auth Proxy is not sending back “filter-id” property to the WG device upon approval on the Duo mobile app. The filter-id contains the user group property where the WG device expects it when the connection is approved by the NPS. When the WG device doesn’t receive the filter-id, it would assume the connection is not authenticated hence disconnection.

How can I get this to work?

6 Replies 6

DuoKristina
Cisco Employee
Cisco Employee

I found the problem, it looks like Duo Auto Proxy does not like MSCHAPv2; it uses unencrypted PAP. I hope this can be added in future release.

The Duo Authentication Proxy does support MS-CHAPv2 with specific requirements (that it must be RADIUS end-to-end). Anecdotally we’ve heard that it works fine for Watchguard SSL VPN, but we’re aware of an issue with MS-CHAPv2 and Watchguard’s IKEv2 VPN that we plan to correct in a future release (I can’t provide a date at this time).

If you’d like to keep apprised of progress with this, contact your Duo account exec or Duo Customer Success Manager (if you have one), or Duo Support, and ask to be added to the feature request for “Watchguard MPPE”.

Duo, not DUO.

So how is this resolved? I authenticate through DUO and the NPS Radius Server and then the SSLVPN just disconnects on the client side of the Watchguard. I am guessing same thing. Protocol issues or something with attributes that arent passing. Frustrated with something that should already be working.

According to the last two posts in this other thread: Is Duo compatible with WatchGuard IKEv2 VPN using MSCHAPv2? they were working after updating the proxy. If you are not on the latest v5 version try updating. If you have other issues try contacting Duo Support, or perhaps if you post there other community members could give you some pointers.

Duo, not DUO.

Thanks Kristina. I am using the latest proxy and have engaged support multiple times.

Quick Links