pdesjardins1
asked on
SonicWall RADIUS AuthPoint
SonicWall NAS 2600 RADIUS issues, with WatchGuard AuthPoint MFA
RADIUS server is WatchGuard client installed on a Windows 2016 server.
I followed all the configuration steps on the WatchGuard setup site for a SonicWall box.
When i test the RADIUS on the SonicWall box I get: RADIUS Communication Error
If I do the same test with a wrong password i get: RADIUS Client Authentication Failed
When I conduct the RADIUS test on the SonicWall box, I know the request gets to the WatchGuard RADIUS client, The client sends the request to the AuthPoint site. The site sends the MFA to my phone. I approve on my phone. The AuthPoint site receives the approval. The AuthPoint site sends the approval to the RADIUS client. .....then ???
Is there some logging in can turn on my SonicWall box to look for this traffic?
Firewall setting on the SonicWall box blocking local LAN RADIUS traffic?
RADIUS server is WatchGuard client installed on a Windows 2016 server.
I followed all the configuration steps on the WatchGuard setup site for a SonicWall box.
When i test the RADIUS on the SonicWall box I get: RADIUS Communication Error
If I do the same test with a wrong password i get: RADIUS Client Authentication Failed
When I conduct the RADIUS test on the SonicWall box, I know the request gets to the WatchGuard RADIUS client, The client sends the request to the AuthPoint site. The site sends the MFA to my phone. I approve on my phone. The AuthPoint site receives the approval. The AuthPoint site sends the approval to the RADIUS client. .....then ???
Is there some logging in can turn on my SonicWall box to look for this traffic?
Firewall setting on the SonicWall box blocking local LAN RADIUS traffic?
ASKER
Please tell me more.
What do you mean by clients?
What do you mean by clients?
Usually client sends a request to the radius server to see whether the credentials provided are authorized.
The server responds yes or no, with some additional parameters for dynamic settings when approved.
Often a MFA,2FA depending on the structure and functionality
Either have an authorization destination and an authentication
User/password send to authenticate
If valid, the auth info is attempted to authorize the session.
By you description watchguard is functioning as the intermediary server it receives a request username/password which it proxies to the Windows server. If it gets a go ahead, it triggers the second request to external site. Once you approve it is supposed to issue an accept with parameters potentially passed from the response of the Windows server ...
Rereading your question, radius in use is watchguard and not NPS.
It is using LDAP, or AD related to access.
When you are testing, what response do you get from the sonicwall?
The server responds yes or no, with some additional parameters for dynamic settings when approved.
Often a MFA,2FA depending on the structure and functionality
Either have an authorization destination and an authentication
User/password send to authenticate
If valid, the auth info is attempted to authorize the session.
By you description watchguard is functioning as the intermediary server it receives a request username/password which it proxies to the Windows server. If it gets a go ahead, it triggers the second request to external site. Once you approve it is supposed to issue an accept with parameters potentially passed from the response of the Windows server ...
Rereading your question, radius in use is watchguard and not NPS.
It is using LDAP, or AD related to access.
When you are testing, what response do you get from the sonicwall?
ASKER
Radius is WatchGuard. It is also called the "Gateway." It is download from the WatchGuard site and install it on a local server.
It is using AD.
SonicWall responds "RADIUS communication error."
We can see on the WatchGuard radius client the accept, and it telling the SonicWall to allow.
I can't see, if that message ever gets to the SonicWall box. Either it does not go, or I don't know how to look for it.
It is using AD.
SonicWall responds "RADIUS communication error."
We can see on the WatchGuard radius client the accept, and it telling the SonicWall to allow.
I can't see, if that message ever gets to the SonicWall box. Either it does not go, or I don't know how to look for it.
Check to capture traffic from the watchguard, Windows system to see if it gets a response, on the server setup, wireshark, or ms network monitor and capture packets to and from the sonicwall.
lets try it his way, a slight roll back.
Did you initially setup sonicwall to use single validation process susccessfully?
Since ypur watchguard is enforcing the MFA, sonicwall should be expecting a single response.
Yes or no.
The watchguard is issuing a single response yes or no. It internally handles the username/password correct yes or no, if yes, check secondary validation. If approved grant access.
In your case, if you setup the sonicwall for dual factor authentication/authorizati on it is expecting two responses one to authenticate and one to authorize.
The error might be that it gets an authorization without getting validation for authentication.
A timeout would have created a different message either a timeout, deny...
lets try it his way, a slight roll back.
Did you initially setup sonicwall to use single validation process susccessfully?
Since ypur watchguard is enforcing the MFA, sonicwall should be expecting a single response.
Yes or no.
The watchguard is issuing a single response yes or no. It internally handles the username/password correct yes or no, if yes, check secondary validation. If approved grant access.
In your case, if you setup the sonicwall for dual factor authentication/authorizati
The error might be that it gets an authorization without getting validation for authentication.
A timeout would have created a different message either a timeout, deny...
ASKER
Ok. The WireShark shows the Radius request and the accept.
This shows that the WatchGuard client is sending the accept to the SonicWall box. Right?
"545","3.380773","10.13.0. 1","10.13. 0.6","RADI US","105", "Access-Re quest id=53"
"1026","7.457626","10.13.0 .6","10.13 .0.1","RAD IUS","955" ,"Access-A ccept id=53"
This shows that the WatchGuard client is sending the accept to the SonicWall box. Right?
"545","3.380773","10.13.0.
"1026","7.457626","10.13.0
Yes, does the sonicwall setup as though it is setup for 2FA MFA?
You have to also be sure that the response items it receives are correct
part of the access-accept there should be reply items that tell the sonicwall information, if you have dynamic filters, those items should be passed, if it is a vendor specific attribute the at it expects, it needs to receive that.
Please stop using "Watchguard client" as it is not a client, it is the application that functions as the Radius Server in your scenario. the Only client function it has deals with the external AuthPoint Trigger..
What guide are you using to configure the sonicwall?
You have to also be sure that the response items it receives are correct
part of the access-accept there should be reply items that tell the sonicwall information, if you have dynamic filters, those items should be passed, if it is a vendor specific attribute the at it expects, it needs to receive that.
Please stop using "Watchguard client" as it is not a client, it is the application that functions as the Radius Server in your scenario. the Only client function it has deals with the external AuthPoint Trigger..
What guide are you using to configure the sonicwall?
ASKER
ASKER
I will do some research tonight on changes to the SonicWall box for 2FA MFA.
Did you try to use the sonicwall as intended?
ssl VPN?
When you generate the request the check-item are you specifying the type of a connection/access you are attempting, Framed-User, etc. access type to see if you elicit a different response?
recheck the settings on the sonicwall versus the guide after you test the actual access you are setting up.
ssl VPN?
When you generate the request the check-item are you specifying the type of a connection/access you are attempting, Framed-User, etc. access type to see if you elicit a different response?
recheck the settings on the sonicwall versus the guide after you test the actual access you are setting up.
ASKER
Last night I applied the latest firmware on the SonicWall box.
If I do a RADIUS connectivity test = RADIUS server timeout
If I do a password authentication test = Failed to decode RADIUS reply (check the shared secret)
Shared secret has been confirmed.
If I do a RADIUS connectivity test = RADIUS server timeout
If I do a password authentication test = Failed to decode RADIUS reply (check the shared secret)
Shared secret has been confirmed.
Check shared secret and radius client.
Make sure the ip the radius server, whatchguard, is expecting the request from is the ip from which it gets it, use wireshark to confirm ...
Make sure the ip the radius server, whatchguard, is expecting the request from is the ip from which it gets it, use wireshark to confirm ...
ASKER
Arnold-
Thank you for your reply.
Yes, I am using the NetExtender SSL VPN client.
In the SonicWall box under RADIUS setting are some tools for testing. These tests fail with different messages.
For example: test with a wrong password I get: RADIUS Client Authentication Failed
When I follow the direction in the guide I get the "push" notification and can see the authentication traffic, but SonicWall Radius says = Failed to decode RADIUS reply (check the shared secret)
Thank you for your reply.
Yes, I am using the NetExtender SSL VPN client.
In the SonicWall box under RADIUS setting are some tools for testing. These tests fail with different messages.
For example: test with a wrong password I get: RADIUS Client Authentication Failed
When I follow the direction in the guide I get the "push" notification and can see the authentication traffic, but SonicWall Radius says = Failed to decode RADIUS reply (check the shared secret)
ASKER
Shared Secret-
If the Shared Secret do NOT match, I get an immediate reply from the test. = Failed to decode RADIUS reply (check the shared secret)
If the Shared Secrets match, I get the push notification on my phone...then the error from the test = Failed to decode RADIUS reply (check the shared secret)
With matching Shared Secrets
"545","3.380773","10.13.0. 1","10.13. 0.6","RADI US","105", "Access-Re quest id=53"
"1026","7.457626","10.13.0 .6","10.13 .0.1","RAD IUS","955" ,"Access-A ccept id=53"
If the Shared Secret do NOT match, I get an immediate reply from the test. = Failed to decode RADIUS reply (check the shared secret)
If the Shared Secrets match, I get the push notification on my phone...then the error from the test = Failed to decode RADIUS reply (check the shared secret)
With matching Shared Secrets
"545","3.380773","10.13.0.
"1026","7.457626","10.13.0
Doublchck the guide and user portion what reply items is the watchguard radius sending in addition to the access-accept
It needs to respond to clued the possible group affiliation, or ..
Do you have sonicwall setup to also generate accounting notices 1813/1646 ?
You could look on the sonicwall and see if you can capture traffic fm and to the radius server. It seems a response to accept is sent, but it is not processing it..
Recheck your sonicwall config to make sure it matches the one inthe guide.
Does the sonicwall log event on radius requests?
It needs to respond to clued the possible group affiliation, or ..
Do you have sonicwall setup to also generate accounting notices 1813/1646 ?
You could look on the sonicwall and see if you can capture traffic fm and to the radius server. It seems a response to accept is sent, but it is not processing it..
Recheck your sonicwall config to make sure it matches the one inthe guide.
Does the sonicwall log event on radius requests?
ASKER
update.
Purchased SonicWall support. Had a SonicWall tech on my machine for 2 1/2 hours last night. Problem not resolved.
Tech gathered packets, logs, and config settings. Will get back to me after doing more homework.
Purchased SonicWall support. Had a SonicWall tech on my machine for 2 1/2 hours last night. Problem not resolved.
Tech gathered packets, logs, and config settings. Will get back to me after doing more homework.
I am more familiar with freeradius, and similar.
I would usually test where I actually can see the response information
i.e. access-accept
Framed-User: PPP
IPADDR:
etc.
it sounds as though the watchguard response does not include a parameter the sonicwall is looking for to authorize the type of connection.
i.e. VPN, does, console, etc.
Besides the access-accept there has to be additional information, i.e. IPpool from which to draw the IP if it is a framed-user:ppp, if the VPN requires an application of an ACL/FILTER/rule the rule entry has to be sent
Consider it this way, you manage access and I check whether the person has access rights. I just startted, new.
The rule set for you is that you have to get approval and specific destination to which a person should be taken
joe is at the door. You call me and say joe is at the door. and all I say is ok...
this might be what is going on between your sonicwall and watchguard.
You are tackling two things at the same time. By the sounds of it, it is working correctly as far as the watchguard setup is concerned for the MFA/2FA setup.
I would usually test where I actually can see the response information
i.e. access-accept
Framed-User: PPP
IPADDR:
etc.
it sounds as though the watchguard response does not include a parameter the sonicwall is looking for to authorize the type of connection.
i.e. VPN, does, console, etc.
Besides the access-accept there has to be additional information, i.e. IPpool from which to draw the IP if it is a framed-user:ppp, if the VPN requires an application of an ACL/FILTER/rule the rule entry has to be sent
Consider it this way, you manage access and I check whether the person has access rights. I just startted, new.
The rule set for you is that you have to get approval and specific destination to which a person should be taken
joe is at the door. You call me and say joe is at the door. and all I say is ok...
this might be what is going on between your sonicwall and watchguard.
You are tackling two things at the same time. By the sounds of it, it is working correctly as far as the watchguard setup is concerned for the MFA/2FA setup.
ASKER
Thank you everyone for your assistance.
The problem has been resolved.
In the WatchGuard Cloud page > Configure > AuthPoint. Resources >
In your resource, "Value sent for RADIUS Attribute 11" should be set to "User's Authpoint group"
The problem has been resolved.
In the WatchGuard Cloud page > Configure > AuthPoint. Resources >
In your resource, "Value sent for RADIUS Attribute 11" should be set to "User's Authpoint group"
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
One of them is supposed to be functioning as a proxy through which requests and responses flow.