cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15806
Views
1
Helpful
21
Replies

Duo integration with Watchguard Mobile SSLVPN

BenjaminC1341
Level 1
Level 1

Wondering if anyone has implemented Duo authentication with a WatchGuard Mobile SSLVPN.

WatchGuard has an implementation PDF but it lists the requirements as being an actual RADIUS server for primary authentication. http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf

I’ve configured a similar setup using a SonicWALL TZ series following the generic RADIUS application configuration from Duo but using AD for primary authentication.

Does the proxy not abstract whatever is being used as the primary authentication so it doesn’t matter whether it is RADIUS or AD?

21 Replies 21

DuoKristina
Cisco Employee
Cisco Employee

Typically when RADIUS is specified as the primary authentication source it’s because it requires specific RADIUS attributes passed to/from the device.

If you take a look at the Watchguard RADIUS configuration instructions it specifies that group attribute be sent as RADIUS attributes (with RADIUS attribute 11 FilterID as the default).

When the Duo Authentication proxy is used with AD as the authentication source, it can’t send the group attribute as a RADIUS attribute (as the LDAP AD server doesn’t send any RADIUS attributes). That is why the Watchguard instructions call for a RADIUS authentication source.

If you don’t have a RADIUS server but you do have AD, you can deploy the NPS role on a domain joined Windows server to provide RADIUS auth to AD, then point Duo to NPS as shown in those instructions.

Duo, not DUO.

@DuoKristina: Does Duo have any specific instructions to get Duo to work with WatchGuard Mobile SSLVPN? I have a similar scenario as @bcady

Hi there! Did you read through Watchguard’s Duo instructions?

http://www.watchguard.com/docs/tech/watchguard-duo-integration-guide.pdf (it’s actually the same link from the original post).

  1. Deploy NPS (sounds like you may have done this already).
  2. Set up the Duo Authentication Proxy for RADIUS with the upstream [radius_client] set to your NPS server and the RADIUS application information in your [radius_server_auto] section, along with the host/secret info for your Watchguard and the pass_through_all=true option.
  3. Configure Watchguard to point to the Duo Authentication Proxy server for RADIUS authentication, specifying attribute 11 (filter-id) as the group attribute (if using groups for VPN authorization.
  4. Then if you do want to use RADIUS groups for authorization, specify those groups on the Watchguard.

Are you stuck on part of the configuration?

Duo, not DUO.

Hi. Yes, I did read the PDF guide.

With regard to step 1: are there any specific settings on NPS?

Step 4: where do I specify the attribute 11 (filter-id)? On the NPS?

Finally, has anyone successfully deployed the steps that you describe?

Sorry, I am a bit new to Watchguard and Duo.

Thanks

Do you already have Watchguard authenticating against NPS? Or are you setting it up new just to use Duo?

Once you have the NPS server up, you’ll…

  1. Add the Duo Authentication Proxy server as a RADIUS client to NPS using PAP. The secret used here should be the same as in your authproxy.cfg [radius_client] setting.

  2. Next you’d create a connection request policy in NPS that uses PAP, Windows authentication, and includes the filter-id attribute.

At this point NPS should be ready to accept a connection from the Duo Authentication Proxy, authenticate the user to AD, and return the filter-id attribute in the response to the Duo server.

There is a guide for pointing Watchguard directly to NPS that you may find useful if you have never done anything in NPS before, but keep in mind this is not exactly the same config you’d use for Duo (per the info above and from the Duo Watchguard guide).

Are you working with a Duo sales account exec? They can connect you with a sales engineer who can help you through this. You can also contact Duo Support, but Support may not be able to walk you through NPS configuration.

Duo, not DUO.

Thank you very much for the detailed instructions.

I will give these a try.

BenjaminC1341
Level 1
Level 1

Thank you for the feedback, I will setup an NPS server.

@bcady: were you able to successfully implement Duo authentication with Windows NPS server and WatchGuard Mobile SSL VPN?

If so, could you please share the details as I am also trying to implement the same scenario?

BSpan
Level 1
Level 1

@DuoKristina: I read though all the posts and linked documents on this invaluable topic. I did not know we would need to stand up an NPS server! Is an NPS server required only if we need to specify AD groups on the Watchguard’s Authorized Users and Groups list? It’s no problem for us to enter only individual users.

Here’s where we stand currently:

1 – I recently got Duo Authentication for Windows Logon and RDP up and running, using the Duo Authentication Proxy. Next we want to add Duo 2FA to our VPN.

2 – We are using Watchguard SSL VPN, with the Watchguard using our on-premise Active Directory to authenticate VPN users.

3- I have configured the Duo Authentication Proxy cfg file with [radius_server_auto] and [ad_client] sections. I’m using a RADIUS server testing tool (NTRadPing 1.5), pointed to the Duo Authentication Proxy, and it seems to be working fine with Duo 2FA - the RADIUS testing tool gets back access-success and access-reject responses from the Duo Authentication Proxy depending on whether I approve or deny on the Duo App.

Until I saw this topic, I thought all the was left for us to do is switch our Watchguard from AD authentication to RADIUS authentication using the Duo Authentication Proxy.

The only way the Duo proxy can send group information over RADIUS is if it gets it from an upstream RADIUS authentication server (like NPS). If you do not need the Duo proxy to send AD group information to the Watchguard then you probably don’t need to deploy NPS or another RADIUS authentication server. Try it and see.

Duo, not DUO.

BSpan
Level 1
Level 1

@DuoKristina Thank you very much for the response. I guess at this point it’s more a WatchGuard question, how the AD group we have defined for VPN users is used throughout the WatchGuard’s routing/firewall policies. I may open a ticket with them, this is a production environment so it’s difficult to just try things. I’ve also asked Duo support if they can get us in touch with a Duo engineer who might have experience with all this. I did stand up an NPS server and its working fine with a RADIUS test app, but the test app does not involve groups.

tfridlington
Level 1
Level 1

If any one is looking for direction on this, I got it working with the generic LDAP application, and setting up the SSL VPN auth to use AD.

There are a couple of gotchas. You need to disable the primary bind exemption. Since the firewall actually attempts to bind 2 separate times, the auth proxy will consider both times the primary. So add these switches to your ldap_server_auto section in your auth proxy server:

exempt_primary_bind=false
exempt_ou_1=full DN of searching user

Other than that, just follow the instructions for the generic LDAP application setup from Duo here: LDAP | Duo Security

I can also confirm @tfridlington instructions. We have Duo setup with out WatchGuard for SSLVPN working great (with both Duo Prompt and Hardware Tokens).

Hi,
Can I ask for the Watchguard authentication server, when we want to use LDAP on DUO, should we configure the authentication server to Radius or LDAP or Active directory?

I mean when we configure Duo proxy for LDAP, shouldWatchguard be configured to make ldap requests to Duo proxy? or is it still a radius server?
@DuoKristina
@tfridlington

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links