Duo integration with Watchguard Mobile SSLVPN


#1

Wondering if anyone has implemented Duo authentication with a WatchGuard Mobile SSLVPN.

WatchGuard has an implementation PDF but it lists the requirements as being an actual RADIUS server for primary authentication. http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf

I’ve configured a similar setup using a SonicWALL TZ series following the generic RADIUS application configuration from Duo but using AD for primary authentication.

Does the proxy not abstract whatever is being used as the primary authentication so it doesn’t matter whether it is RADIUS or AD?


#2

Typically when RADIUS is specified as the primary authentication source it’s because it requires specific RADIUS attributes passed to/from the device.

If you take a look at the Watchguard RADIUS configuration instructions it specifies that group attribute be sent as RADIUS attributes (with RADIUS attribute 11 FilterID as the default).

When the Duo Authentication proxy is used with AD as the authentication source, it can’t send the group attribute as a RADIUS attribute (as the LDAP AD server doesn’t send any RADIUS attributes). That is why the Watchguard instructions call for a RADIUS authentication source.

If you don’t have a RADIUS server but you do have AD, you can deploy the NPS role on a domain joined Windows server to provide RADIUS auth to AD, then point Duo to NPS as shown in those instructions.


#3

Thank you for the feedback, I will setup an NPS server.


#4

@bcady: were you able to successfully implement Duo authentication with Windows NPS server and WatchGuard Mobile SSL VPN?

If so, could you please share the details as I am also trying to implement the same scenario?


#5

@DuoKristina: Does Duo have any specific instructions to get Duo to work with WatchGuard Mobile SSLVPN? I have a similar scenario as @bcady


#6

Hi there! Did you read through Watchguard’s Duo instructions?

http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf (it’s actually the same link from the original post).

  1. Deploy NPS (sounds like you may have done this already).
  2. Set up the Duo Authentication Proxy for RADIUS with the upstream [radius_client] set to your NPS server and the RADIUS application information in your [radius_server_auto] section, along with the host/secret info for your Watchguard and the pass_through_all=true option.
  3. Configure Watchguard to point to the Duo Authentication Proxy server for RADIUS authentication, specifying attribute 11 (filter-id) as the group attribute (if using groups for VPN authorization.
  4. Then if you do want to use RADIUS groups for authorization, specify those groups on the Watchguard.

Are you stuck on part of the configuration?


#7

Hi. Yes, I did read the PDF guide.

With regard to step 1: are there any specific settings on NPS?

Step 4: where do I specify the attribute 11 (filter-id)? On the NPS?

Finally, has anyone successfully deployed the steps that you describe?

Sorry, I am a bit new to Watchguard and Duo.

Thanks


#8

Do you already have Watchguard authenticating against NPS? Or are you setting it up new just to use Duo?

Once you have the NPS server up, you’ll…

  1. Add the Duo Authentication Proxy server as a RADIUS client to NPS using PAP. The secret used here should be the same as in your authproxy.cfg [radius_client] setting.

  2. Next you’d create a connection request policy in NPS that uses PAP, Windows authentication, and includes the filter-id attribute.

At this point NPS should be ready to accept a connection from the Duo Authentication Proxy, authenticate the user to AD, and return the filter-id attribute in the response to the Duo server.

There is a guide for pointing Watchguard directly to NPS that you may find useful if you have never done anything in NPS before, but keep in mind this is not exactly the same config you’d use for Duo (per the info above and from the Duo Watchguard guide).

Are you working with a Duo sales account exec? They can connect you with a sales engineer who can help you through this. You can also contact Duo Support, but Support may not be able to walk you through NPS configuration.


#9

Thank you very much for the detailed instructions.

I will give these a try.