DUO Watchguard VPN

Hello everybody,

I’m just biting my teeth out.

I have the following configuration:

Watchguard Fireall 12.6.4
Windows NPS Server W2016
DUO Proxy Server W2016

I carried out the configuration 1: 1 as stated on the Watchguard page.

Watchguard DUO

The NPS server was installed and registered in the AD.

If I now specify “authenticate without user verification” in the connection requests on the NPS server for a test, the registration from the Watchguard to the Radius server goes through, the 2 factor authentication works with DUO. Now of course I would also like the password to be checked.

The correct domain user is displayed in the error log, but I get the error message here:

NPS has denied access to a user.

Reason code: 16
Cause: Authentication failure due to user credential mismatch. The specified username is not associated with an existing user account, or the password was incorrect.

Since Watchguard only uses PAP, the use of certificates is not necessary here. In addition, I found a relatively large number of possible solutions on the WWW, which I nevertheless tried out on a test basis. The mistake remained the same.

It seems to me that the NPS would not even query the AD, and therefore DUO acknowledges in the log that it does not receive any feedback from NPS.

2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): login attempt for username 's.amrein'
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] Sending request for user 'xxxx' to ('192.168.4.66', 1812) with id 160
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] Got response for id 160 from ('192.168.4.66', 1812); code 3
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): Primary credentials rejected - No reply message in packet
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): Returning response code 3: AccessReject
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): Sending response

Maybe someone can help me here.

Best thanks in advance…

greetings
Stefan

Did you found it ?

i Can help you with that on my side everything work for the Watchguard SSL Client and Duo with NPS.

Don’t forget to check if your user is only into one group of NPS check list for the Authenfication.

If the user are into 2 Groups this will fail !

1 Like

And into the Watchguard Console try the Keyword “adm” you will see why the connection is refuse on the side of watchguard.

Hello Jeff,

i have found the issue.

It so simple…when you have found the solution. My password contained an “ö”. You cannot use I have found a tread with a reference to my solution. You cannot use ä, ö, ü, ß and special characters such as €, ~ or §.

Greetings,
Stefan

2 Likes

Hi there,
I’m glad you found the answer you needed, Stefan! Thank you for following up here to share it with the community, and thanks to Jeff for being so helpful as well.