Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1725
Views
3
Helpful
4
Replies

DUO Watchguard VPN

samrein
Level 1
Level 1

‎02-06-2021 05:28 AM

Hello everybody,

I’m just biting my teeth out.

I have the following configuration:

Watchguard Fireall 12.6.4
Windows NPS Server W2016
DUO Proxy Server W2016

I carried out the configuration 1: 1 as stated on the Watchguard page.

Watchguard DUO

The NPS server was installed and registered in the AD.

If I now specify “authenticate without user verification” in the connection requests on the NPS server for a test, the registration from the Watchguard to the Radius server goes through, the 2 factor authentication works with DUO. Now of course I would also like the password to be checked.

The correct domain user is displayed in the error log, but I get the error message here:

NPS has denied access to a user.

Reason code: 16
Cause: Authentication failure due to user credential mismatch. The specified username is not associated with an existing user account, or the password was incorrect.

Since Watchguard only uses PAP, the use of certificates is not necessary here. In addition, I found a relatively large number of possible solutions on the WWW, which I nevertheless tried out on a test basis. The mistake remained the same.

It seems to me that the NPS would not even query the AD, and therefore DUO acknowledges in the log that it does not receive any feedback from NPS.

2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): login attempt for username 's.amrein'
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] Sending request for user 'xxxx' to ('192.168.4.66', 1812) with id 160
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] Got response for id 160 from ('192.168.4.66', 1812); code 3
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): Primary credentials rejected - No reply message in packet
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): Returning response code 3: AccessReject
2021-02-06T14: 06: 08 + 0100 [duoauthproxy.lib.log # info] (('192.168.4.1', 58910), xxxx, 28): Sending response

Maybe someone can help me here.

Best thanks in advance…

greetings
Stefan

Labels:
0 Helpful
4 Replies 4

jeff.landry
Level 1
Level 1

‎02-08-2021 05:40 AM

Did you found it ?

i Can help you with that on my side everything work for the Watchguard SSL Client and Duo with NPS.

Don’t forget to check if your user is only into one group of NPS check list for the Authenfication.

If the user are into 2 Groups this will fail !

jeff.landry
Level 1
Level 1

‎02-08-2021 05:47 AM

And into the Watchguard Console try the Keyword “adm” you will see why the connection is refuse on the side of watchguard.

0 Helpful

samrein
Level 1
Level 1

‎02-08-2021 06:50 AM

Hello Jeff,

i have found the issue.

It so simple…when you have found the solution. My password contained an “ö”. You cannot use I have found a tread with a reference to my solution. You cannot use ä, ö, ü, ß and special characters such as €, ~ or §.

Greetings,
Stefan

Amy2
Level 5
Level 5
In response to samrein

‎02-11-2021 12:06 PM

Hi there,
I’m glad you found the answer you needed, Stefan! Thank you for following up here to share it with the community, and thanks to Jeff for being so helpful as well.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents