Hi, we’re a university that is already using Duo Security for campus wide, but for my purpose we’re a small department that uses different user name than the campus-wide uses.
I’m using Watchguard M200 for VPN access, along with NPS / AD for authentication. This is working great, but I’d like to add Duo Security as mfa.
Everything seems to be working as intended (vpn is connecting, I get prompted on my mobile to approve/deny the connection request) until I tap on Duo mobile green checkbox, then I get disconnected. The error on the WG device is ‘user isn’t in the right group’.
The problem seems to be very identical to this post..
I tested some more by connecting the Duo Auth Proxy radius to NPS. The event viewer on the NPS confirms the connection is access granted, but the WG disconnects. This tells me NPS authentication server approves the login with correct user and password, but WG device did not get the message of approval.
I believe the problem is the Duo Auth Proxy is not sending back “filter-id” property to the WG device upon approval on the Duo mobile app. The filter-id contains the user group property where the WG device expects it when the connection is approved by the NPS. When the WG device doesn’t receive the filter-id, it would assume the connection is not authenticated hence disconnection.
How can I get this to work?