T11:19:13+0100 CC LDAPMessage(id=1, value=LDAPBindResponse(resultCode=0), controls=None) T11:19:13+0100 SS LDAPMessage(id=4, value=LDAPBindRequest(version=3, dn=‘CN=svcXX,OU=XXServiceAccounts,DC=XX,DC=local’, auth='’, sasl=False), controls=None) So frustrating still cant get this working Watchguard with LDAP anyone have any ideasĠ8-10T11:19:13+0100 Starting factory Log in (bind): Failed (user is not authenticated) Until I saw this topic, I thought all the was left for us to do is switch our Watchguard from AD authentication to RADIUS authentication using the Duo Authentication Proxy.Ĭonnect to server: Ok (connected to 192.168.36.212) I’m using a RADIUS server testing tool (NTRadPing 1.5), pointed to the Duo Authentication Proxy, and it seems to be working fine with Duo 2FA - the RADIUS testing tool gets back access-success and access-reject responses from the Duo Authentication Proxy depending on whether I approve or deny on the Duo App. Next we want to add Duo 2FA to our VPN.Ģ – We are using Watchguard SSL VPN, with the Watchguard using our on-premise Active Directory to authenticate VPN users.ģ- I have configured the Duo Authentication Proxy cfg file with and sections. I did not know we would need to stand up an NPS server! Is an NPS server required only if we need to specify AD groups on the Watchguard’s Authorized Users and Groups list? It’s no problem for us to enter only individual users.ġ – I recently got Duo Authentication for Windows Logon and RDP up and running, using the Duo Authentication Proxy. You can also contact Duo Support, but Support may not be able to walk you through NPS I read though all the posts and linked documents on this invaluable topic. There is a guide for pointing Watchguard directly to NPS that you may find useful if you have never done anything in NPS before, but keep in mind this is not exactly the same config you’d use for Duo (per the info above and from the Duo Watchguard guide).Īre you working with a Duo sales account exec? They can connect you with a sales engineer who can help you through this. Next you’d create a connection request policy in NPS that uses PAP, Windows authentication, and includes the filter-id attribute.Īt this point NPS should be ready to accept a connection from the Duo Authentication Proxy, authenticate the user to AD, and return the filter-id attribute in the response to the Duo server. The secret used here should be the same as in your authproxy.cfg setting. Do you already have Watchguard authenticating against NPS? Or are you setting it up new just to use Duo?Īdd the Duo Authentication Proxy server as a RADIUS client to NPS using PAP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |