WatchGuard Duo Radius

Anyone successful setup watchguard firewall with Duo Radius?

I have setup my Duo Proxy

[radius_client]
host=127.0.0.1
port=1812
secret=xxxxxxxxxx
pass_through_all=true

[radius_server_auto]
ikey=xxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxx
api_host=xxxxxxxxxxxxx
radius_ip_1=192.168.36.2
radius_secret_1=xxxxxxx
client=ad_client
pass_through_all=true
failmode=safe
port=18120

Setup NPS on same box

Radius client
Address 127.0.0.1
Shared Secret

Network policy
Grant access
Conditions - user group SSLVPN-Users
PAP
Radius attributes, Standard
Framed-Protocol PPP
Service-Type Framed
Filter-ID - SSLVPN-Users

On watchguard set all radius as per documentation
it does a Duo push - then I get

2020-08-11 09:42:26 admd Authentication of SSLVPN user xxxxx@RADIUS] from 192.168.36.33 rejected, user isn’t in the right group id=“1100-0005”

Does anyone have any suggestions?

Thanks,
Brett

Hi @BAB, right now you have the Filter-ID set to SSLVPN-Users. Notice how the response you get says “user isn’t in the right group”? I think the issue here is that you have to specify attribute 11 (filter-id) as the group attribute when using groups for VPN authorization with this configuration. I got this answer from a past discussion on integrating Watchguard and the Duo Authentication Proxy using Radius, which you can check out for more details. Does this help?

Hi,
I have the same issue with having attribute 11. I believe this is a Watchguard problem, as there is “Users and Groups” part to specify which users or groups Watchguard must authenticate. Now when I add a user in this section, everything works fine and I get the Duo push and get authenticated by Watchguard. But When I add the group in this part and disable the user(considering that the user is added to this group and config on Duo part is ok too), when I enter the username and password, I get Duo push but when I accept it, Watchguard denies me from connecting by saying that the user is rejected with the same error that was mentioned above. So I want to change from Radius to LDAP to see if anything changes. I will try to update this post when I tried it.

ok, I just made it work. So I was missing two things:

  1. I was using Centos8 as the radius server so the firewall was blocking the traffic so we should open the ports on the Centos firewall with below commands:

sudo firewall-cmd --add-port=1812/udp
sudo firewall-cmd --add-port=18120/udp
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload

  1. The attribute-11 that we set on NPS, should have the value of the name of AD group that we want to authenticate.

These two solved my issue and I can authenticate with 2FA.

1 Like