Duo and Watchguard SSLVPN with LDAP

gregulator · ‎05-11-2017

Has anyone configured Watchguard’s SSL VPN to use Active Directory credentials via LDAP and Duo as a 2FA? All the instructions to setup the VPN is to create local users on the Watchguard itself, rather than using AD creds. I’m have tried configuring Duo to use ad_client and radius_client and it doesn’t seem to work. I want to know if there is a way to us AD credentials with Duo and Watchguard.

DuoKristina · ‎05-11-2017

Greetings gregulator!

It looks like Watchguard Firebox and XTM devices both support LDAP authentication per their online documentation.

You may want to try configuring the Duo Authentication Proxy as an LDAP proxy. Point the Duo server to your AD DC (with [ad_client] and then point your Watchguard appliance to the LDAP proxy listener on the Duo server.

Hope this suggestion helps. Thanks for trying Duo!

Duo, not DUO.

Icebun · ‎04-30-2018

Can I ask if anyone has had any success setting up Duo with LDAP and watchGuard?

Any comments would be welcome.

This does seem the best route to negate the need for a radius/NPS server.

tfridlington · ‎04-11-2019

If any one is looking for direction on this, I got it working with the generic LDAP application, and setting up the SSL VPN auth to use AD.

There are a couple of gotchas. You need to disable the primary bind exemption. Since the firewall actually attempts to bind 2 separate times, the auth proxy will consider both times the primary. So add these switches to your ldap_server_auto section in your auth proxy server:

exempt_primary_bind=false
exempt_ou_1= full DN of searching user

Other than that, just follow the instructions for the generic LDAP application setup from Duo here: LDAP | Duo Security

DuoKristina · ‎04-11-2019

Note that LDAP can’t pass along the access client IP to Duo, so no Duo policies based on IP information apply (Authorized Networks, User Location, Anonymous Networks, etc.).

Duo, not DUO.

BAB2 · ‎08-10-2020

Results

Connect to server: Ok (connected to 192.168.36.212)

Log in (bind): Failed (user xxxxxxxx@LDAP is not authenticated[user doesn’t exist, check your username])

Get group membership:

It seems to put @LDAP after all the time.

So frustrating still cant get this working Watchguard with LDAP anyone have any ideas

LOGS -

08-10T11:19:13+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x043CA040>
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] S<-C LDAPMessage(id=1, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth=‘’, sasl=False), controls=None)
2020-08-10T11:19:13+0100 [Uninitialized] Connection made between client: 192.168.36.2:40317 and the server section listening via 192.168.36.212:1815.
2020-08-10T11:19:13+0100 [Uninitialized] C->S LDAPMessage(id=4, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth='’, sasl=False), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=4, value=LDAPBindResponse(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] [Request from 192.168.36.2:40317] Exempt OU: CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=1, value=LDAPBindResponse(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] S<-C LDAPMessage(id=2, value=LDAPSearchRequest(baseObject=‘DC=XX,DC=local’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=10, typesOnly=0, filter=LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=‘cn’), assertionValue=BEROctetString(value=‘userxx’)), attributes=[b’*’, b’memberOf’]), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] C->S LDAPMessage(id=5, value=LDAPSearchRequest(baseObject=‘DC=XX,DC=local’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=10, typesOnly=0, filter=LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=‘cn’), assertionValue=BEROctetString(value=‘userxx’)), attributes=[b’*’, b’memberOf’]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://DomainDnsZones.XX.local/DC=DomainDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://DomainDnsZones.XX.local/DC=DomainDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://ForestDnsZones.XX.local/DC=ForestDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://ForestDnsZones.XX.local/DC=ForestDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://XX.local/CN=Configuration,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://XX.local/CN=Configuration,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=LDAPSearchResultDone(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=LDAPSearchResultDone(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] S<-C LDAPMessage(id=3, value=LDAPUnbindRequest(), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] C->S LDAPMessage(id=6, value=LDAPUnbindRequest(), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,192.168.36.2] Closing the connection between the downstream application and the Authentication Proxy. Reason: Connection was closed cleanly.
2020-08-10T11:19:13+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x043CA040>

Thanks,
B

MtnDew213 · ‎01-28-2021

@tfridlington Could you possibly share your watchguard settings that you entered that point to the duo proxy? Struggling to use ldap or radius proxy for watchguard.

TabBerger · ‎01-29-2021

Hi there, @MtnDew213 ! Welcome to the Duo Community I would recommend reaching out to Duo Support on this one. Our Technical Support Engineers are great and will be able to troubleshoot the issue based on your environment to help you get the Authentication Proxy up and running. Best of luck with everything!

MtnDew213 · ‎01-29-2021

Thanks Tab, we had a call with support and worked out that its something to do with the firebox vpn server passing the external ip to the proxy (as its on a different network from the proxy) and then for some reason never getting the auth approved message from the proxy.