Duo Watchguard SSL VPN

Hi, we’re a university that is already using Duo Security for campus wide, but for my purpose we’re a small department that uses different user name than the campus-wide uses.
I’m using Watchguard M200 for VPN access, along with NPS / AD for authentication. This is working great, but I’d like to add Duo Security as mfa.

I followed both WG guide and Duo RADIUS guide, but I’m having connection problem.

Everything seems to be working as intended (vpn is connecting, I get prompted on my mobile to approve/deny the connection request) until I tap on Duo mobile green checkbox, then I get disconnected. The error on the WG device is ‘user isn’t in the right group’.
The problem seems to be very identical to this post..

I tested some more by connecting the Duo Auth Proxy radius to NPS. The event viewer on the NPS confirms the connection is access granted, but the WG disconnects. This tells me NPS authentication server approves the login with correct user and password, but WG device did not get the message of approval.

I believe the problem is the Duo Auth Proxy is not sending back “filter-id” property to the WG device upon approval on the Duo mobile app. The filter-id contains the user group property where the WG device expects it when the connection is approved by the NPS. When the WG device doesn’t receive the filter-id, it would assume the connection is not authenticated hence disconnection.

How can I get this to work?

Hi @Honeypot. Try reading through this post: https://community.duo.com/t/duo-integration-with-watchguard-mobile-sslvpn.

I found the problem, it looks like Duo Auto Proxy does not like MSCHAPv2; it uses unencrypted PAP. I hope this can be added in future release.

The Duo Authentication Proxy does support MS-CHAPv2 with specific requirements (that it must be RADIUS end-to-end). Anecdotally we’ve heard that it works fine for Watchguard SSL VPN, but we’re aware of an issue with MS-CHAPv2 and Watchguard’s IKEv2 VPN that we plan to correct in a future release (I can’t provide a date at this time).

If you’d like to keep apprised of progress with this, contact your Duo account exec or Duo Customer Success Manager (if you have one), or Duo Support, and ask to be added to the feature request for “Watchguard MPPE”.