This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal groups couldn't be fully managed.

Hi all!

We have got XG 135 w with SFOS 17.1.3 MR-3. After creating internal groups under authentication section I realized that I can create groups and add users into them but there is no option to exclude users from groups and hence I can't delete the groups themselves. Just for information: users were added to Sophos via RADIUS as far as previously I configured RADIUS (Windows NPS) as auth source.

I will appreciate any help with this issue.

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 7 years ago

You have to delete the group from the rules it is used in, then you can delete the group. Think that is what you are trying to achieve?

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 7 years ago

You have to delete the group from the rules it is used in, then you can delete the group. Think that is what you are trying to achieve?

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Maxim Grechikhin over 7 years ago in reply to rfcat_vk

Thank you for suggestion, but these groups have not been used anywhere anymore. The deletion attempt gives an error message: Group could not be deleted. User exists in the Group
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Maxim Grechikhin

Seems like the user is already in some kind of configuration.

Every user gets a group as primary group in XG. So check the group name of the user and check, whether you use this group already in the modules (like WAF, SSL VPN etc.)

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Maxim Grechikhin over 7 years ago in reply to LuCar Toni

Hi ManBearPig,

Seems like I did'nt clear explained the problem, that is my bad. So the root cause of the issue that I can't exclude users which I have added into my custom group that I created earlier by myself. There is no such option or particular button like in the section for managing L2TP users.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Maxim Grechikhin

I understand, you have a self created group with couple of user in it and want to remove certain users - correct?

Do you use this group already anywhere? Web Proxy, SSL VPN, L2TP, IPsec, WAF, Anywhere?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Maxim Grechikhin over 7 years ago in reply to LuCar Toni

manbearpig said:

I understand, you have a self created group with couple of user in it and want to remove certain users - correct?

Do you use this group already anywhere? Web Proxy, SSL VPN, L2TP, IPsec, WAF, Anywhere?

No I do not. Is not it looks weird for you that there is no "delete" button under group management dialog? I mean that there is no button to delete a user from group.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Maxim Grechikhin

Can you post some screenshots of your config?

Or dig deeper in the logs while trying to delete the group.

applog.log should be fine for this.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Maxim Grechikhin over 7 years ago in reply to LuCar Toni
Cancel
Vote Up 0 Vote Down

Cancel
0 Maxim Grechikhin over 7 years ago in reply to LuCar Toni

I found a solution... But I wouldn't say it is an expected way of managing users and groups. I realized that by Sophos ideology the user can participate just in one of the groups (and this killed me swiftly). So I added participants to the other group and that emptied my custom group and allowed me to delete the group. But I am still wondering why developers have chosen so an extraordinary way instead of creating "delete user" button with moving user to a default "Open group"?!
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 7 years ago in reply to Maxim Grechikhin

This KBA take care about the Group Membership of XG.

https://community.sophos.com/kb/en-us/123161

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Maxim Grechikhin over 7 years ago in reply to LuCar Toni

In my case I use RADIUS as auth source because of another IPSEC/L2TP VPN limitation. And for proper user groups management I have to add AD to auth source as well. Oh my.. Sophos devs make control shoot into already dead customers after knee self shooting.
Cancel
Vote Up 0 Vote Down

Cancel