Watchguard Firebox Mobile VPN w/SSL and DUO MFA Integration Issues

Hello there - thank you in advance, as I have already done tons of additional research after going through documentation on both DUO and Watchguards’ websites.

​

I’m having an issue getting this Firebox for a client to authenticate requests to the RADIUS server (DUO Proxy) at all and is immediately failing upon entering credentials in the Mobile VPN w/SSL. What I have done so far:

- Installed/Configured DUO Proxy on DC2
- Configured NPS on DC1
- Setup DUO Proxy as RADIUS Client with shared key
- Configured Network Access Policy Conditions to allow VPNUsers group to connect
- Set attribute -11 to “VPNUsers” (case-sensitivity verified)
- Configured Firebox to use RADIUS authentication for Mobile VPN w/SSL
- Configured RADIUS server to point to DUO proxy on DC2
- Used same shared key from RADIUS server on DC1
- Added ‘VPNUsers’ group under SSLVPN-Users server manually to Mobile VPN settings
- ‘Protected’ RADIUS app in DUO
- Confirmed my matching AD username is setup and registered in DUO
- Configured Proxy Config as follows:

#DUO CLOUD SYNC#

[cloud]

ikey=FIE

skey=6pN

api_host=.duosecurity.com

​

#RADIUS/NPS Server#

[radius_client]

host=NPS/RADIUS IP

secret=eMH

pass_through_all=true

​

#Firebox#

[radius_server_auto]

ikey=SOA

skey=PXu

api_host=.duosecurity.com

radius_ip_1=Firebox IP

radius_secret_1=eMH

failmode=safe

client=radius_client

port=1812

pass_through_all=true

​

#AD Server#

[ad_client]

host=DC1

service_account_username=duo.proxy

service_account_password=aaaaaaaa

search_dn=DC=domain,DC=local

When I go to login with my AD credentials, the mobile VPN client instantly rejects my credentials and I just get an ‘auth failed’ response. This should be authenticating through AD using RADIUS, not LDAP. Where did I mess up?

It’s been a while… and this is a Duo question not a watchguard… but…

ad_client stanza isn’t being used here, because radius_server_auto is using the radius_client stanza (according to client=) for the password authentication. Change that variable over to ad_client if you want it to use that information to verify passwords.

If you do want to use radius to NPS on dc1, then that’s what should go under host= in the radius_client stanza.

Change the port number on the WG and your DUO proxy to something else, like 1813. Radius is listening on 1812, assuming your proxy is on your Radius server, it’s not hitting the DUO proxy, it’s going straight to Radius. Then have your DUO proxy forward that to Radius on port 1812.
I went through all of this a while back and finally got it working. I can send you an example config tomorrow if it’s still not figured out.

Well, no I want to use RADIUS technically. It should be passing AD usernames/passwords and group association to the DUO proxy, which forwards to NPS/RADIUS for authentication right?

I removed the ad_client syntax all together and tried as well with the same error.

I’m going to try taking DUO out of the equation by redirecting the Firebox RADIUS connection directly to the NPS, instead of DUO Proxy and confirming that RADIUS authentication into the Mobile VPN is successful and then go from there.

“- Installed/Configured DUO Proxy on DC2
- Configured NPS on DC1”

The documentation mentioned installing the Proxy and NPS on the same server would be an issue, so I went ahead and installed the proxy on a different DC, that way I could test RADIUS by itself in an isolated environment as well to confirm it is working aside from the DUO integration (it is).