Is Duo compatible with WatchGuard IKEv2 VPN using MSCHAPv2?

Hello!

I have IKEv2 VPN working fine with Windows 10 IKEv2 client when using only RADIUS and no Duo. My NPS server is set to use only MSCHAPv2 and not EAP-MSCHAPv2, so I don’t think that lack of EAP-MSCHAPv2 support is the issue, i.e., IKEv2 VPN connects without it in my NPS server settings.

When I throw Duo into the mix, I try to log into the IKEv2 VPN, I get the prompt on my phone and allow it, and the VPN rapidly says “Cannot connect to…” my IKEv2 VPN name. In FSM traffic monitor (with Authentication set to Debug level), I get a line stating:

2020-03-04 21:50:12 iked msg=ike2_StoreMSCHAPv2Result: Received authentication result does not have the expected content Debug

What does “Received authentication result does not have the expected content” mean? I have no idea and Google searches come up with nothing helpful.

Can Duo work with an IKEv2 VPN that works fine using only MCHAPv2 for a plain-RADIUS connection?

Gregg

For the Duo Authentication Proxy to use MSCHAPv2 then it must be configured to use RADIUS as both the server and the client. When you added Duo, did you point your proxy config’s [radius_client] to the NPS server?

Is it certain that the WatchGuard IKEv2 VPN isn’t using EAP-MSCHAPv2? In this comment the poster seems to indicate that it is EAP-MSCHAPv2 and it could not be changed.

This WatchGuard documentation page also shows EAP-MSCHAPv2 as the only authentication option for “Mobile VPN with IKEv2 authentication” (is that the right product you’re using?).

My Windows Server 2019 Standard server is on LAN IP 192.168.16.11 and is running NPS for IKEv2 authentication.

The LAN IP is 192.168.16.1 for my WatchGuard firewall.

“Is it certain that the WatchGuard IKEv2 VPN isn’t using EAP-MSCHAPv2?” I am as certain as I can be because my NPS settings do not include EAP-MSCHAPv2 at all. It’s strictly using only MSCHAPv2 and it works for plain RADIUS. However, I suppose it could be something not exposed to NPS that uses EAP-MSCHAPv2. I doubt it, though…because it works using MSCHAPv2 for plain RADIUS. Also, this article https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g3AOSAY&lang=en_US makes no mention of the EAP-MSCHAPv2 requirement; it just says to use MSCHAPv2.

The following Duo setup works for my WatchGuard SSLVPN and WatchGuard firewall authentication pages, but not the WatchGuard IKEv2 VPN.

[radius_client]
host=192.168.16.11
secret_protected=xxxxxxxxxxxyyyyyyzzzzzzzzzzzz
pass_through_all=true

[radius_server_auto]
ikey=BOGUSSTUFF
skey=21342134(bogus)
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=192.168.16.1
radius_secret_protected_1=xxxxxxxxxxxyyyyyyzzzzzzzzzzzz
failmode=safe
client=radius_client
port=1821

The WatchGuard firewall sees the authentication successfully, but it appears to be missing some mystery content when it is sent back to the firewall. I don’t know what the “expected content” is supposed to be. I have asked WatchGuard the same questions.

2020-03-08 21:15:11 admd msg=Authentication of MUVPN user [Gregg@Duo] from 172.112.x.y was accepted msg_id=“1100-0004” Event
2020-03-08 21:15:11 iked msg=ike2_StoreMSCHAPv2Result: Received authentication result does not have the expected content Debug

While posting this same issue on WatchGuard’s forum, it dawned on me that the log line says “iked msg=ike2_StoreMSCHAPv2Result”, which to me indicates it is indeed using plain MSCHAPv2.

I just did more testing. On my NPS server, I removed MSCHAPv2 and added EAP-MSCHAPv2 as the only protocol, then tried to connect, and I got an instant “Cannot connect to WG IKEv2” message. Even the working plain-RADIUS breaks with only EAP-MSCHAPv2 protocol. If I add MSCHAPv2 back, or go to only MSCHAPv2, plain RADIUS works again. Using only EAP-MSCHAPv2, my firewall live logging shows:

"2020-03-10 12:03:24 admd msg=Authentication of MUVPN user [Gregg@Duo] from x.x.x.x was rejected, received an Access-Reject response from the (192.168.16.11) server msg_id=“1100-0005” Event

It rejects the EAP-MSCHAPv2 connection outright.

So, yes, I can confirm that WatchGuard’s IKEv2 VPN uses only MSCHAPv2…as far as I can tell.

I just found this reference “Mobile VPN with IKEv2 supports two-factor authentication for MFA solutions that support MS-CHAPv2” in this article https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_about_c.html

When I test a plain RADIUS connection using NTRadPing, it gives back an “Access-Accept” message. However, I just found in the authproxy log that Duo(?) returns an “AccessAccept” message, without the dash in the name? Could this be the problem?

2020-03-11T22:27:46-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.16.1’, 59092), Gregg, 121): Returning response code 2: AccessAccept

Nope! The lack of a hyphen in the Duo proxy text log doesn’t mean anything. If you did a packet capture you’d see the accept packet is correctly identified as code 2 per the RADIUS RFC.

Did you open a case about this with Duo Support? Did you send in the full authproxy.log and a packet capture from the Duo proxy server for the auth failure? If you did, DM me the case number and I’ll go take a look.

Kristina,

I did not open a case about this with Duo Support. I thought that support is only for paid subscriptions and I only have two users.

I can send you whatever you want, but for now, I just use WatchGuard AuthPoint for IKEv2 VPN with MSCHAPv2 two-factor authentication.

Gregg

If you feel like takin a look at my case for this Kristina, it’s 00482247.
However, it looks like DUO is isn’t an option since they don’t support EAP-MSCHAPv2. At least according to this page:
https://help.duo.com/s/article/2084

aztman,

The Duo article you linked is incorrect where it states, “Applications that only support EAP-MSCHAPv2, such as WatchGuard Firebox IKEv2 mobile VPN,…”

The WatchGuard IKEv2 VPN does not use EAP-MSCHAPv2, but only uses plain MSCHAPv2, as you can see from my testing noted above.

Gregg