WatchGuard Firebox VPN and Active Directory Integration

A short while back, I posted an article on Cisco PIX VPN and Active Directory integration.  Now, I’d like to follow that article up with a version looking at integration between Active Directory and WatchGuard Firebox VPNs.

As with the PIX-AD integration document, this article assumes that you have some basic knowledge of how to work with the WatchGuard Firebox series of firewalls.  This article was written using version 6.2 of the WatchGuard Firebox System software and Windows Server 2003; other versions of either the firewall software or Windows should be similar.

Configuring the Firebox

First, we’ll need to setup the Firebox.  Use the Firebox software (Policy Manager, specifically) to perform the following configuration tasks:

  • Add the server that is running IAS (or will be running IAS; see below) as a RADIUS server in the Authentication Servers dialog box (found on the Setup menu).  Here, you’ll need to specify the server’s IP address, port number (the default of 1645 will be fine), and the shared secret.
  • Instruct the firewall to use RADIUS by going to Setup > Firewall Authentication and selecting “RADIUS” as the authentication type.
  • Configure the firewall’s Remote User VPN (on the Network menu) to use RADIUS by checking the “Use RADIUS to authenticate remote users” check box.

Once this is done, proceed with configuring PPTP-based remote user VPNs as usual.  Be sure to add a rule allowing traffic to/from the pptp_users group; otherwise, VPN users will be subject to the same traffic restrictions as Internet users.

Configuring Internet Authentication Service

Before doing anything else, create a new global security group in Active Directory.  Call it “pptp_users”, just like the name of the group on the Firebox.  This is an important part of the glue that will bind the Firebox together with Active Directory.

If IAS is not already installed, install IAS using the Add/Remove Programs icon in Control Panel.

Once it has been installed, launch it from the Administrative Tools folder on the Start Menu and we’ll proceed with configuring it for authenticating VPN connections to the Firebox.

First, we need to grant IAS permission to read dial-in properties from user accounts in Active Directory.  To do this, right-click on the “Internet Authentication Service (Local)” and select “Register Server in Active Directory”.  Select Yes (or OK) if prompted to confirm.  Note that if IAS was already installed, it may have already been registered with Active Directory as well.

With that done, we can now configure the Firebox as a RADIUS client.  Right-click on RADIUS Clients and select New RADIUS Client.  In the wizard, specify the IP address (or DNS name) of the Firebox’s trusted interface and the shared secret.  Note that this shared secret is the same secret key specified when configuring the RADIUS server in the Firebox previously.  RADIUS clients use this to authenticate to RADIUS servers, so make it a reasonably strong password.

Now create a new remote access policy.  Right-click on Remote Access Policies and select New Remote Access Policy.  In the wizard, specify a name, select to create a custom policy, and then add the following conditions to the policy:

  • NAS-IP-Address:  This will be the IP address of the Firebox’s trusted interface.  This helps to ensure that this policy only applies to VPN requests from this firewall and not from any other RADIUS client.
  • Windows-Groups:  This should be the “pptp_users” security group created earlier.  Any user that should be allowed to authenticate on a VPN connection will need to be a member of this group.

Of course, this policy should grant access.  On the next screen, select “Edit Profile” to edit the remote access profile.  This is important because we’ll need to verify that the RADIUS server is passing the correct information to the Firebox.

On the Advanced tab, remove all the attributes listed there (Service-Type and Framed-Protocol are there by default) and then add the Filter-Id attribute.  To this attribute, add the string value “pptp_users”.  Click OK to save these changes to the profile and then finish creating the policy.

Make this policy the first policy (using the Move Up/Move Down commands in the IAS console), add a user to the group created earlier, and then test your connection.  Remote systems attempting to connect via PPTP should now be able to authenticate the VPN connection using their Active Directory usernames and passwords.

UPDATE:  I’ve updated this entry to correct some errors pointed out in the comments.  Thanks for the feedback!

Tags: , , ,

51 comments

  1. paul’s avatar

    still having issues even after following your directions to a “tee”..i’ve got a watchguard firebox 1000, running ver. 7.3, ultimately what i can see on the firebox are errors similar to the following: “username” cannot authenticate because not a memeber of required group “pptp_users”. I can tell that the login attempt is hitting the radius server behind the firebox, but this is where i’m stuck at, any ideas?

  2. slowe’s avatar

    Paul: There are some errors in the post, evidently–sorry about that. You’ll need to create a group called “pptp_users” (the same name specified in the Filter-Id attribute on the IAS server) and place the users into that group. Once the users are placed into that group, then it should work as expected. Please respond to me to let me know if that works, and I’ll correct the post accordingly.

  3. paul’s avatar

    i had assumed that and re-config’ed again per your amended instructions just ot be sure. I have a group in AD now called pptp_users, it is also the filter-id attib. on my IAS server. still getting the same error “username” (in this case my username) is not a member of required group pptp_users. pptp_users is a default group setup when you turn on remote user on the firebox, but if it works the way i thought, this should only matter if we were using the firebox to authenticate. there’s no way to remove pptp_users from the firebox, it won’t allow you to. in a desperate attempt, i added “username” to the pptp_users group on the firebox as well, same error message. this seems to only occur when we have the radius setup to authenticate, if i switch things back to the the firebox authentication, no errors.

  4. slowe’s avatar

    You should make sure that the users that are trying to authenticate to the Firebox are a member of the Active Directory group called pptp_users. I know it seems odd, but membership in this group is required even if the Firebox is not the one handling authentication.

  5. paul’s avatar

    as it sits, i am only testing with one user and that user is a member of the AD group pptp_users. if i understand correctly, i am trying to authenticate to the radius server and not the firebox, and even though it hasn’t made a difference, the user i am working with is a member now of both the AD group pptp_users and the firebox group pptp_users..

  6. slowe’s avatar

    Paul, have a look at your IAS logs and/or Event Viewer and see if any additional information is being logged. If the pptp_users group exists in AD, and the user is a member of pptp_users, and pptp_users is specified in the Filter-Id attribute, then that part is correct–but we could have a configuration issue with the IAS server that is causing a different problem. The IAS and event logs should give us more information to use in troubleshooting the issue. If you’d like, we can just transfer this conversation to e-mail. My e-mail is scott dot lowe at scottlowe dot org.

  7. paul’s avatar

    thanks for your help…good news, the problem seemed to be a combination of a couple of problems, for starters I had to delete the default remote access policies created during install of IAS, I think by default there was a deny access policy causing an issue, anyway, i didn’t go to in depth, only to figure out that deleting those 2 default policies helped…next I was able to figure out from the ias log files and the iasparse tool that comes with 2003 support tools, that my login attempts were not “matching” any remote policies..so the first thing i did was delete the NAS IP ADDRESS out of the one created from your instructions, that worked!

  8. slowe’s avatar

    I’m glad you got it to work, Paul.

  9. Pete’s avatar

    Thanks, great article. Helped me fix my Radius Auth issue.

  10. Jane’s avatar

    Hello and I hope you could hlep us out here. We have a firebox 1000 that was sold to us by a prior i.t. vendor who we no longer are contracted with. They have refused to provide us the admin username and password to the console and we need to change the password to block their access. We believe there is a security breach. I’m having no luck with WatchGuard answering my request. Anyone know how to get at this from the admin account on the server to change the information and start fresh without the prior vendor having access?

  11. slowe’s avatar

    Jane,

    Just re-image your firewall from scratch using the blue serial cable, a crossover cable, and the WatchGuard software. That will allow you to specify new passphrases and you can still load up your old rules configuration after your done. There should be plenty of information out there on exactly how this is done.

    Best of luck,
    Scott

  12. Andy’s avatar

    Thanks for this info it has REALLY helped me out. I was banging my head against the wall trying to work out why my users couldn’t authenticate even though they were in the pptp_users group. It never occurred to me that the group had to be in Active Directory not the one in the firebox!! Although even if I had got that bit I probably would have struggled with the IAS configuration.

    Thanks again.

    Andy

  13. slowe’s avatar

    Andy,

    I’m glad you found the information helpful.

    Scott

  14. seb’s avatar

    HI We have Watchguard 700. We having few issues when people connect by VPN they can not access the network when others worked fine. They seem to be ok coming through firewall. Do a ping and traffic monitor shows it allowing pings in and out to pc but some where at pc it not allowing it and this with Firewall turned off. Anyone know why this might be happening?

  15. slowe’s avatar

    Seb,

    You may want to double-check the users’ DNS and WINS settings; these can greatly affect connectivity to the corporate network behind the firewall.

    Scott

  16. john’s avatar

    Outstanding information. Solved the problem…..

  17. JohnB’s avatar

    Slowe,

    Great information. Still not working for me yet. Is the trusted Ip of the Firebox interface the acctually IP of the Firebox or the server that I run the WatchGuard System Manager on?

  18. slowe’s avatar

    JohnB,

    The “trusted IP” is the internal IP address assigned to the Firebox itself. If you have configured your Firebox in routed mode, it will be the IP address on the internal (trusted) interface. If you’ve configured your Firebox in drop-in mode, it will be typically be one of the additional private IP addresses associated with the Firebox. In either case, this will usually be the same as the default gateway for your systems on the LAN.

  19. JohnB’s avatar

    Ok That is what i thought. Tried that but still did not work for me. I’m not sure what the issue might be. I do see some error regarding spoofing when i try to connect to the firewall but not sure if that is from my connection or something else.

  20. slowe’s avatar

    JohnB,

    It may be that you are trying to use IP addresses outside the FIrebox that are already assigned inside (behind) the Firebox, and therefore the Firebox thinks that the addresses are spoofed. Double-check your configs, and verify that you aren’t inadvertently creating a situation where the Firebox could think addresses are spoofed. Also verify your “Blocked Sites” setting to ensure that none of your IP addresses ranges are included in the default list of blocked sites.

  21. JJ’s avatar

    Hi slowe,
    great blog I really like it!
    I also have problems with our VPN except that I try to use NT Authentication.
    We have a Firebox III 700 with MUVPN 7.3 and win2000 native domain with AD.

    I configured everything properly and when I use it with users created in firebox it works fine, the connection is up and running. After authenticating with firebox I can log on to our domain.
    But when I tried to use NT Authentication to make things easier and avoid double logon to our domain it always failed with authentication problems.
    Our NT Auth. Server is one of our domain controllers.
    Of course Watchguard is helpless they keep directing me to Microsoft knowledge base websites and I’ve run out of ideas…
    I tried to create a global security group in AD as well with the same name as our mobile user vpn group called in the firebox but that didn’t help either…
    If you need more details just let me know please.
    I would appreciate if you could help me with this.
    Thanks,
    JJ

  22. slowe’s avatar

    JJ,

    Honestly, I’ve never experimented with NT Authentication on the Firebox; I’ve only used RADIUS. Further, the only development tool I had–an old Firebox II–finally died and I haven’t been able to resurrect it yet. Sorry!

  23. Derek’s avatar

    I have the same problem JJ has encountered.

    We have a Firebox X700 and the Management Software is running on our Domain Controller – Windows 2003 SBS. Client is MUVPN 7.3

    I have all our remote users setup w/ firebox authentication and it works perfectly fine.

    Then trying to setup NT Authentication, I create a groupname called “vpnusers” and create that same group name in AD w/ the users that need access.

    Then when I attempt to connect w/ that profile, it is unable to authenticate.

    If anyone runs into a solution, please let me know as this is pretty frustrating – I’ve had the same problem w/ support as JJ. E-mail me at dkromm at swirnow dot com if you have any advice.

    I’d rather not have to setup an intermediary authentication service if it can be avoided.

    Thanks,
    Derek

  24. DaveLChgo’s avatar

    Jane – Not sure if you still have the issue of needing the admin password to your firebox. The only way I know of to stop an old IT company who wont give you the admin passwords from coming in at will is to reset the firebox. On the 10e through 55e it works this way…

    *** CAUTION ***
    This will wipe out all of your settings on the firebox and set them to factory defaults.

    1 Unplug power from firebox.
    2 Push and Hold reset button.
    3 Plugin power to firebox.
    4 Wait for red light to come on and go off.
    5 Release reset button.
    6 Unplug power.
    7 Plugin power.

    Now I’m doing this from memory so steps 4 and 5 might be….
    4 Wait for red light to come on.
    5 Release reset button and wait for red light to go off.

    Hope this helps.

  25. Jonathan’s avatar

    I had a network “expert” in to setup a VPN on my Firebox 500. He banged on it for 2 days and couldn’t get it to work. His “solution” was a $1600 upgrade to equipment he was familiar with. I came across this article and 4 hours later, I had a fully functional VPN.

    I ran into the same problems Paul did (see above). Not sure why we had to remove the NAS-IP-ADDRESS policy, but that was definitely preventing the policy from matching the request, even though I had the correct IP there. Just glad it worked! I am so grateful you guys figured all this out ;)

    Thanks for posting Scott!!

  26. Kris’s avatar

    Nice work on this post.
    I was left clueless and confused after the manual on 9.1. This banged me through most of it, plus I’ve set up IAS numerous times. 9.1 has a little different configs (to be expected) as in ‘PPTP-Users’ group name and IPsec passthrough has to be enabled on the Firebox.
    There’s no where I can see for policies on this “RUVPN” stuff though. At least I can access my servers from home and get denied when I go to search the web (for now).
    Thanks, much appreciated!

  27. mark’s avatar

    I am also having issue getting a PPTP VPN t owork authenticating to IAS.

    I’m getting the below failure in IAS (System log)

    Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

    Anyone got any ideas?

    thnaks

    Mark

  28. mark’s avatar

    Futher to my previous note, The user is aprt of the pptp_users group, and also has the account option “Store password using reversible encryption” ticked.

    thanks

    Mark

  29. slowe’s avatar

    Mark,

    Be aware that you have to reset the password after checking the “Store passwords using reversible encryption” option. Otherwise, it has no effect.

  30. Jeffrey’s avatar

    Scott,

    We have a X500 Firebox on a windows 2003 domain. I have followed your instruction -sans the NAS-IP-ADDRESS policy that a couple of posters also removed. I can connect. It authenicates and establishes the connection. Now what? I can’t browse any of the network? Is there some client side configuration that needs to be set for the system to use the VPN tunnel and “see” the network? Thanks in advance. Jeffrey Mors

  31. slowe’s avatar

    Jeffrey,

    You do need to make sure that you have a rule that allows all traffic from pptp_users to trusted (and vice versa). Otherwise, the VPN users are subject to the same rules as all other traffic.

    Good luck!

  32. Jeff’s avatar

    Hi all, I have folloewd the directions to a tee as well. However know matter how I setup my firebox (X1000) running 7.5. I get errors and cannot connect at all just sits at verifying username and password and then get kicked off. Any ideas? Any would be a great help.

    Thanks,
    Jeff

  33. Timmy’s avatar

    where can I see the error log. I had follow those step, but still cant connect.

  34. Richard’s avatar

    Been trying to get a new FireboxX550e PPTP VPN working with a Win 2003 IAS RADIUS server. The old Firebox III/1000 PPTP VPN is working fine. I added my user account to Active Directory groups named pptp users, pptp_users and PPTP-Users, added these groups to the Remote Access Policy condition of IAS to the Profile Filter-Id string passed back to the Firebox. I created Firebox Policies to allow all these groups inbound access to any Any-trusted and outbound access to Any-trusted on the PPTP protocol.

    What’s weird is that the IAS server report that I have authenticated successfully, yet the XP client gets an “Error 691 Access was denied because the username and/or password was invalid on the domain.”

    Watchguard support has been no help on this one. Any ideas?

  35. Chad’s avatar

    Ok
    I have followed the instructions and I can verify that the RADIUS is being accepted and that it is sending the accept back to the firebox.. i’m using an x550e (no firewire)..
    when I try to connect, it authenticates, and starts “registering computer on the network” and then dumps out.. on the FB log it simply states “ppp connection down for username”. I have the username in the pptp_users group in AD, and set the policies as in this blog.. One other thing.. the NAS-IP-ADDRESS is showing up as 127.0.0.1 but i did remove it from the policy as others have.. Also, i have set reversible encryption enabled..
    I have an any policy for PPTP-Users (RADIUS) set and this is an automatically created group in the FB.. A little different than pptp_users.. but i tried both AD groups as PPTP-Users and pptp_users..

    any ideas?

    thanks

  36. Kevin’s avatar

    I am having the same EXACT issue as Chad above!

  37. Ronnie’s avatar

    Chad and Kevin, I had the same issue. Go back and edit the profile for the remote access policy you created (where you set the filter-ID in the instructions above.) Click the Encryption tab and remove the check beside “No encryption”. (I personally only leave Strongest checked.)

    That should fix it.

  38. Chris’s avatar

    Hi Guys, we have received a watchguard firebox 1000 firewall from one of our customers and we need to get into it, we have know software for it and no way of knowing what the ip address is etc. Is there a way to get into the firebox to use it, set it up without the software for it?

    If so how do we set it to factory defaults so we can access it and if so what are the factory default settings?

    Cheers

    Chris

  39. slowe’s avatar

    Chris,

    The only thing that I can suggest is hooking up the blue serial cable–one is supposed to come with the Firebox–and running through the initial setup wizard again. It’s been quite a while since I did this, but if I recall correctly you should be able to install a new flash image, with new passwords, onto the firewall using this procedure.

    Good luck!

  40. Harry’s avatar

    Hi Scott,

    I keep getting an error message on the Watchguard Mobile VPN client which is echoed in the event viewer. It keeps telling me that I am using the wrong username or password. I am using the correct name and password as added in the pptp_users security group on AD. When playing with different usernames o also get this message in the event viewer:

    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

    Please can you help. I feel I am almost there but i am not convinced i have set up the wgx file correctly.

    Thanks

  41. slowe’s avatar

    Harry,

    Looks like your Remote Access policy isn’t configured for the right authentication method. With PPTP, you’ll want to be sure that MS-CHAP and MS-CHAP v2 are enabled in the profile for the policy, and uncheck any other authentication types. I’m not sure what authentication type the Mobile VPN client uses.

    Hope this helps!

  42. Harry’s avatar

    Hi Scott

    I was able to resolve the problem by taking out the NAS-IP-Address codition to the policy.

    Authentication works well but I am having trouble acessing or even pinging anything including the DC that logged me on! I think this may be down to m being a complete novice to this as opposed to anything else!

    Thanks

  43. Talrude’s avatar

    Wanted to add.

    I wanted to Add more.(I Have an 1000)
    You must have the Management Software istalled.

    Connect directly to the Trusted port using a cross over cable with a static IP or 192.168.253.xxx Not .1

    1 Unplug power from firebox.
    2 Push and Hold reset button.
    3 Plugin power to firebox.
    4 Wait for red light and flashing triangle.
    5.Use the Quick Setup Wizard to re-Configure the unit. Default IP 192.168.253.1
    6.Default password will be shown during setup and you will get to change it.
    7. Change your IP Rang accordingly if you change Trusted network Ip Settings. (DHCP is not enabled be default)
    8.Use Policy Manager to configure firewall.
    9.Expect reboots and 4 min down time for reboots. (I counted it on my 1000)

    There is a Student manual floating around out there. Get it! it helps.

    ************************************************
    DaveLChgo said:
    *** CAUTION ***
    This will wipe out all of your settings on the firebox and set them to factory defaults.

    1 Unplug power from firebox.
    2 Push and Hold reset button.
    3 Plugin power to firebox.
    4 Wait for red light to come on and go off.
    5 Release reset button.
    6 Unplug power.
    7 Plugin power.

    Now I’m doing this from memory so steps 4 and 5 might be….
    4 Wait for red light to come on.
    5 Release reset button and wait for red light to go off.

    Hope this helps.

  44. elim’s avatar

    For some reason i am getting error 778 “can not verify the identity of the server” when connecting via VPN. Any ideas?

  45. elim’s avatar

    Sorry, I believe the exact phrase was “It was not possible to verify the identity of the server.”

  46. Chris’s avatar

    I can connect using the above but I cannot talk to the network, cant pint the servers and the servers cant ping me. using a v500 with 7.5. Any ideas?

  47. Chris’s avatar

    from the traffic monitor I receive firewalld deny in pptp0 and deny out pptp0. I’ve created a rule but still missing something.

  48. Damian’s avatar

    We have a customer with a Firebox running version 10. They have vpn’s setup and it works, the issue is that the remote user cannot access their local network when they have the VPN up. I know most VPN solutions allow you to regulate this. The user cannot even use her USB printer. Everything else seems to work okay. Any suggestions?

  49. Chris’s avatar

    Do you have specific steps that you can post on setting up the inbound and outbound rule for the vpn traffic? thanks, chris.

  50. kryptonet’s avatar

    I just got a new client who has a Firebox Edge X Watch Guard . I was trying to configure it for remote management or administration. I guess if you just setup the VPN it will allow you you to manage it from the inside because you have a I.P assigned throught the VPN. Does that sound right?
    Thanks

1 · 2 ·

Comments are now closed.