Hey everyone I a noob to watch guard and just curious if we can MFA and the use of Microsoft Authenticator to the watch guard vpn client.
The only thing I am finding is either using the access portal or autopilot
Thanks for the help
Read through the Watchguard integration guides. They have one for just about everything.
I believe you need to use AuthPoint / Portal… ? Await others to contradict this.
Duo has been working fairly well for us.
I’ve seen a successful implementation using Azure AD and conditional access for this. I don’t have examples.
Assuming you have on premise AD, you’d need Azure AD connect setup and working, then the conditional access configuration.
Duo might be easier, but you’d need a VM in Azure to run the Duo Proxy, then enable the MFA integration with Duo for M365/Azure AD.
I would also think you can do this with Authpoint more easily.
AuthPoint is the official MFA method. We have it synced to AD for SSO. Works for local admin, cloud admin, user VON, etc.
So much this. You do need an understanding of their products but their guides are very detailed.
Not exactly. Authpoint is the only native option, but you can use almost any MFA provider with RADIUS
Thank but to my understanding duo you need install a local server correct
The client is using conditional access by any chance would you know any documentation on this
Yep, unless you have another authentication source. It’s just radius. Is that an issue? You did not given any details in your post.
I pinged him and confirmed the following.
- You configure the Watchguard to use Radius via NPS
- The NPS server is still the traditional windows NPS role and needs to be on-premise or a VM hosted in Azure or elsewhere
- You then install the NPS MFA Extension
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
- You must have Azure AD Connect already setup and working
The client wanted to set up saml with azure Active Directory and use MFA from Microsoft but from my understanding that will only work with the access portal not with a vpn client
Awesome thanks that was what I am thinking need to be done
I pinged him and confirmed the following.
You configure the Watchguard to use Radius via NPSThe NPS server is still the traditional windows NPS role and needs to be on-premise or a VM hosted in Azure or elsewhereYou then install the NPS MFA Extensionhttps://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extensionYou must have Azure AD Connect already setup and working
Is an Azure / Entra license needed or is Business Premium enough?
Is the goal SSO or MFA? Those are two separate technologies.
I’ve read that you can use azure ad for radius authentication* (no idea if you need extra tenant licensing) so you could try setting up a radius authentication server that way. Users would use their o365 credentials to log into the VPN. If they have MFA enabled/forced its supposed to prompt them for confirmation*
- According to documentation I’ve read while looking into this for other clients and who knows if it’s accurate.
This has been discussed a few times in the past 1-2 months. Do a quick search (or scroll through the hot tab).
I’ve posted links to everything you need to set this up. Unfortunately, I don’t have them handy to repost for you.
I know you asked about using the auth app, but note that it can NOT be done with SMS
I couldn’t find any documentation but will look again only thing I found was set up a local nps server with the azure extension but the client doesn’t want to install anything local
Yep, you’re right. I found the link my team had been discussing and the section where it says that you don’t need an on prem server has a note about requiring something hosted in Azure. I guess that’s an option for some clients, but why not just provide RADIUS directly as an identity provider? Thanks MS.
Good luck OP. I’d still give the access portal a shot, from what I recall it should use the same authentications methods (and MFA) as the SSL VPN if set up.