Is it possible to authenticate to any of the Firebox VPN options using a Microsoft Entra ID and the Microsoft MFA?
I want to do this:
User initiates VPN connection
User is asked to authenticate using their Microsoft Entra credentials including MFA using Microsoft Authenticator
If authentication succeeds, VPN access is allows
User does their work
User disconnects VPN
Is this possible? Our MSP is building something using Authpoint which seems to require users installing an additional Watchguard MFA app, which just makes things more complex to deploy and support. I’m not sure this is really necessary, but I haven’t been able to find a clear answer in the docs.
Unfortunately Nps + mfa extension is your only option.
Mind if you are going to use windows ikev2 client that you can’t leverage number matching or otp (not supported on windows client)
Watchguard has been saying the will eventually offer SAML for VPN authentication at some point. I’ve heard “before the end of 2024” at one point. But it doesn’t seem to be a priority for them.
Do I need to set up an NPS server somewhere (Azure?) to do this? The documentation seems to assume I just have one lying around…
If there is a way that doesn’t require me setting up any new infrastructure that would be ideal. Next best I can set up infrastructure in the cloud. I really don’t want to set up anything new on-prem.
When you say Authpoint is easy, does it definitely require it’s own MFA solution? It’s mostly the distribution of yet another tool to users that I want to avoid. We just rolled out MS Authenticator to everyone, and to follow up with another MFA app so soon after is
Microsoft suggest that using SAML authentication for the VPN is better than NPS/RADIUS is better as it can then apply Conditional Access rules etc. That would be the best, but it isn’t clear if Authpoint can apply that authentication to Firebox VPNs. I’m not sure if that is because it cannot work, or if Watchguard just haven’t written the documentation for it yet.
