Duo integration with Watchguard Mobile SSLVPN

Wondering if anyone has implemented Duo authentication with a WatchGuard Mobile SSLVPN.

WatchGuard has an implementation PDF but it lists the requirements as being an actual RADIUS server for primary authentication. http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf

I’ve configured a similar setup using a SonicWALL TZ series following the generic RADIUS application configuration from Duo but using AD for primary authentication.

Does the proxy not abstract whatever is being used as the primary authentication so it doesn’t matter whether it is RADIUS or AD?

Typically when RADIUS is specified as the primary authentication source it’s because it requires specific RADIUS attributes passed to/from the device.

If you take a look at the Watchguard RADIUS configuration instructions it specifies that group attribute be sent as RADIUS attributes (with RADIUS attribute 11 FilterID as the default).

When the Duo Authentication proxy is used with AD as the authentication source, it can’t send the group attribute as a RADIUS attribute (as the LDAP AD server doesn’t send any RADIUS attributes). That is why the Watchguard instructions call for a RADIUS authentication source.

If you don’t have a RADIUS server but you do have AD, you can deploy the NPS role on a domain joined Windows server to provide RADIUS auth to AD, then point Duo to NPS as shown in those instructions.

Thank you for the feedback, I will setup an NPS server.

@bcady: were you able to successfully implement Duo authentication with Windows NPS server and WatchGuard Mobile SSL VPN?

If so, could you please share the details as I am also trying to implement the same scenario?

@DuoKristina: Does Duo have any specific instructions to get Duo to work with WatchGuard Mobile SSLVPN? I have a similar scenario as @bcady

Hi there! Did you read through Watchguard’s Duo instructions?

http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf (it’s actually the same link from the original post).

  1. Deploy NPS (sounds like you may have done this already).
  2. Set up the Duo Authentication Proxy for RADIUS with the upstream [radius_client] set to your NPS server and the RADIUS application information in your [radius_server_auto] section, along with the host/secret info for your Watchguard and the pass_through_all=true option.
  3. Configure Watchguard to point to the Duo Authentication Proxy server for RADIUS authentication, specifying attribute 11 (filter-id) as the group attribute (if using groups for VPN authorization.
  4. Then if you do want to use RADIUS groups for authorization, specify those groups on the Watchguard.

Are you stuck on part of the configuration?

Hi. Yes, I did read the PDF guide.

With regard to step 1: are there any specific settings on NPS?

Step 4: where do I specify the attribute 11 (filter-id)? On the NPS?

Finally, has anyone successfully deployed the steps that you describe?

Sorry, I am a bit new to Watchguard and Duo.


Do you already have Watchguard authenticating against NPS? Or are you setting it up new just to use Duo?

Once you have the NPS server up, you’ll…

  1. Add the Duo Authentication Proxy server as a RADIUS client to NPS using PAP. The secret used here should be the same as in your authproxy.cfg [radius_client] setting.

  2. Next you’d create a connection request policy in NPS that uses PAP, Windows authentication, and includes the filter-id attribute.

At this point NPS should be ready to accept a connection from the Duo Authentication Proxy, authenticate the user to AD, and return the filter-id attribute in the response to the Duo server.

There is a guide for pointing Watchguard directly to NPS that you may find useful if you have never done anything in NPS before, but keep in mind this is not exactly the same config you’d use for Duo (per the info above and from the Duo Watchguard guide).

Are you working with a Duo sales account exec? They can connect you with a sales engineer who can help you through this. You can also contact Duo Support, but Support may not be able to walk you through NPS configuration.

Thank you very much for the detailed instructions.

I will give these a try.

@DuoKristina: I read though all the posts and linked documents on this invaluable topic. I did not know we would need to stand up an NPS server! Is an NPS server required only if we need to specify AD groups on the Watchguard’s Authorized Users and Groups list? It’s no problem for us to enter only individual users.

Here’s where we stand currently:

1 – I recently got Duo Authentication for Windows Logon and RDP up and running, using the Duo Authentication Proxy. Next we want to add Duo 2FA to our VPN.

2 – We are using Watchguard SSL VPN, with the Watchguard using our on-premise Active Directory to authenticate VPN users.

3- I have configured the Duo Authentication Proxy cfg file with [radius_server_auto] and [ad_client] sections. I’m using a RADIUS server testing tool (NTRadPing 1.5), pointed to the Duo Authentication Proxy, and it seems to be working fine with Duo 2FA - the RADIUS testing tool gets back access-success and access-reject responses from the Duo Authentication Proxy depending on whether I approve or deny on the Duo App.

Until I saw this topic, I thought all the was left for us to do is switch our Watchguard from AD authentication to RADIUS authentication using the Duo Authentication Proxy.

The only way the Duo proxy can send group information over RADIUS is if it gets it from an upstream RADIUS authentication server (like NPS). If you do not need the Duo proxy to send AD group information to the Watchguard then you probably don’t need to deploy NPS or another RADIUS authentication server. Try it and see.

@DuoKristina Thank you very much for the response. I guess at this point it’s more a WatchGuard question, how the AD group we have defined for VPN users is used throughout the WatchGuard’s routing/firewall policies. I may open a ticket with them, this is a production environment so it’s difficult to just try things. I’ve also asked Duo support if they can get us in touch with a Duo engineer who might have experience with all this. I did stand up an NPS server and its working fine with a RADIUS test app, but the test app does not involve groups.

If any one is looking for direction on this, I got it working with the generic LDAP application, and setting up the SSL VPN auth to use AD.

There are a couple of gotchas. You need to disable the primary bind exemption. Since the firewall actually attempts to bind 2 separate times, the auth proxy will consider both times the primary. So add these switches to your ldap_server_auto section in your auth proxy server:

exempt_ou_1=full DN of searching user

Other than that, just follow the instructions for the generic LDAP application setup from Duo here: LDAP | Duo Security

I can also confirm @tfridlington instructions. We have Duo setup with out WatchGuard for SSLVPN working great (with both Duo Prompt and Hardware Tokens).

Connect to server: Ok (connected to

Log in (bind): Failed (user xxxxxxxx@LDAP is not authenticated[user doesn’t exist, check your username])

Get group membership:

It seems to put @LDAP after all the time.

So frustrating still cant get this working Watchguard with LDAP anyone have any ideas

08-10T11:19:13+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x043CA040>
2020-08-10T11:19:13+0100 [ldap_server_auto,1,] S<-C LDAPMessage(id=1, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth=‘’, sasl=False), controls=None)
2020-08-10T11:19:13+0100 [Uninitialized] Connection made between client: and the server section listening via
2020-08-10T11:19:13+0100 [Uninitialized] C->S LDAPMessage(id=4, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth='
’, sasl=False), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=4, value=LDAPBindResponse(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] [Request from] Exempt OU: CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=1, value=LDAPBindResponse(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,] S<-C LDAPMessage(id=2, value=LDAPSearchRequest(baseObject=‘DC=XX,DC=local’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=10, typesOnly=0, filter=LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=‘cn’), assertionValue=BEROctetString(value=‘userxx’)), attributes=[b’*’, b’memberOf’]), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,] C->S LDAPMessage(id=5, value=LDAPSearchRequest(baseObject=‘DC=XX,DC=local’, scope=2, derefAliases=0, sizeLimit=0, timeLimit=10, typesOnly=0, filter=LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=‘cn’), assertionValue=BEROctetString(value=‘userxx’)), attributes=[b’*’, b’memberOf’]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://DomainDnsZones.XX.local/DC=DomainDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://DomainDnsZones.XX.local/DC=DomainDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://ForestDnsZones.XX.local/DC=ForestDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://ForestDnsZones.XX.local/DC=ForestDnsZones,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://XX.local/CN=Configuration,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value=‘ldap://XX.local/CN=Configuration,DC=XX,DC=local’)]), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=5, value=LDAPSearchResultDone(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [_ADServiceClientProtocol,client] S->C LDAPMessage(id=2, value=LDAPSearchResultDone(resultCode=0), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,] S<-C LDAPMessage(id=3, value=LDAPUnbindRequest(), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,] C->S LDAPMessage(id=6, value=LDAPUnbindRequest(), controls=None)
2020-08-10T11:19:13+0100 [ldap_server_auto,1,] Closing the connection between the downstream application and the Authentication Proxy. Reason: Connection was closed cleanly.
2020-08-10T11:19:13+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x043CA040>


The proxy is performing an ldap search for the user whose CN is userxx, and is receiving no results. Maybe you need to select a different login attribute to match the value?

Can I ask for the Watchguard authentication server, when we want to use LDAP on DUO, should we configure the authentication server to Radius or LDAP or Active directory?

I mean when we configure Duo proxy for LDAP, shouldWatchguard be configured to make ldap requests to Duo proxy? or is it still a radius server?

I am not sure if I understand your question.

If the Duo Authentication Proxy acts as a RADIUS server, then that RADIUS configuration can in-turn use either LDAP or RADIUS for primary authentication (or not try to perform primary auth at all).

If the Duo Authentication Proxy acts as an LDAP server, then that LDAP configuration can ONLY use LDAP for primary authentication.

The solution @tfridlington describes in this post has the Duo proxy configured for LDAP connections from WatchGuard, so then it must also be using LDAP for primary auth to AD or another LDAP directory.

1 Like

Anyone active on the post that managed to get watchguard vpn working with duo that wouldnt mind helping out?

Sorry, it’s been a while, and I’m nowhere near a Watchguard these days. But if I recall, I set it up as AD auth from Watchguard → proxy, then LDAP from proxy → DC. With those particular switches configured in the proxy configuration. Hope it helps.