V17.5 user sync with Sophos Central EDR EAP no users listed in live users view?

Hi john_kenny 

For context, have you already configured the following on your firewall?

• Sophos XG Firewall: How to enable Security Heartbeat and Central Management

Also for reference:

• Sophos XG Firewall: How Synchronized User ID authentication works
• [Sync Sec] Important announcement on Synchronized Security Features on XG v17.5 Early Access

Regards,

Yes ive followed all the documentation i could find on the matter, from what i gather i should see usernames under the Live users view shouldnt I?  They should be sent from the Central Endpoint right?  From what i read i assumed that i should see the usernames there whether Ive got my XG linked to AD or not because Endpoint sends a username, is that right?  

Also I know XG and Central is sending some kinda usernames from my logs: -

Ive tried to add a user matching what i use to logon with but it didnt seem to work, i still get failed errors.

Should i see that user in the live users view if it fails or not??

See i cant add AD to my XG as i logon with AzureAD, but from those logs i assumed i could use local users on my XG but obviously not?

Thanks for your reply,

JK

Although I am yet to see any sign of 'Live Users', I can confirm a couple of things.

If I use the firewall rule and turn on match Known users with show portal to unknown users, then use a web browser from Endpoint, I am offered the login.

If I deliberate enter wrong password it fails (as expected) and AD server informs me of failed login, so I know AD side is working. But, as you say, when you login, within authentication log, it does show the user in the format of name@domain and not the user name you used. For me, it does not recognise domain\user, I just have to enter a domain user name without the domain.

The reason for this behavior, you will find here:

https://community.sophos.com/products/xg-firewall/f/authentication/109490/user-creation-from-portal-creates-a-user-account-with-email-addresse-name-containing-blanks/391924#pi2151=1

I am advised that Security Heartbeat is picking up the user, but not the domain!

For this particular Endpoint, it is a virtual machine and I am running MSTSC to connect to it. Once connected (using domain\user) and go to cmd prompt and run set, it clearly shows both the domain and user name correctly.

Any ideas?

Hi Paul,

True it will look for user details.  In order to acheive this settings the following conditions must be met..

1. The Sophos Central Account must be linked to Sophos XG firewall.

2. The XG firewall must be connected to the domain controller for authentication.

3. The Users in the Central must have the same Profile. e.g. In the Central account if the user Domain/Username instead of Normal User then their profile must contain the Email address .

4. Same Can be said on the local users on Sophos XG , use the Email address same as mentioned in the Central Profile.

On the Endpoint you may check the username on the Sophos Endpoint UI> About > Run Diagnostics tool. > System

I can confirm 1-4 above are correct.

I can also confirm checking (Sophos Endpoint UI> About > Run Diagnostics tool. > System) it indeed confirms both the domain\username


But still not show in Live Users


The Sophos Support engineer (with case [#8526233]) has highlighted that the Heartbeat does not include the domain name when it receives info


2019-01-02 17:36:26 DEBUG HBSession.cpp[2758]:176 handleHeartbeatRequest - Received login request with id 147
2019-01-02 17:36:26 DEBUG LoginRequestHandler.cpp[2758]:71 handleExtendedRequest - Ignoring login from local user in ModuleLogin: domain field in LoginRequest is empty

Just took a quick look into this case. You never mentioned before, you are using only VM´s with RDP connected to them. So i tried to reproduce this issue with a VM and only RDP to this. But my Client is shown under Live User. 

Client is 2.2.2 Core agent. 

.local Domain. 

Still not sure, what is happening in your case, so i would recommend to debug this with Sophos Support. 

A quick update on this.

I was asked by Sophos Support to try using LDAP instead of AD. Although this also failed, for the first time, there was an entry in the Authentication Log, to confirm failure.

Unlike when I login with Captive Portal for same user, it records the UPN login, the failure with LDAP shows just the bit before the @

So, I guess its a bit pf progress, although am told now LDAP will not work.

I have success!!!


So this is what I did precisely


1) Tested with LDAP - failed
2) Re-installed Endpoint
3) Tested with LDAP - failed
4) Change back to AD for authentication
5) Deleted the user (have done this a few times before)
6) Logged in once more and after a few minutes - success

So, I guess a combination of re-installing Endpoint, removing user and changing back from LDAP to AS authentication seems to have resolved the problem. Not conclusive, but hopefully helps someone.

Continue to test repeatedly and will post results here

Least you do have it working now, I did suggest you try starting out fresh where your Authentication on XG is setup.  But like the saying goes if its not broke dont change it (well along those lines i think it goes)  As to the part about it not working WITH LDAP i think that needs to be reworked on the KB article as thats how i got my Heartbeat Auth to work wasnt it,  As long as its LDAP on an AD DC it works.

I know its been said here already that you dont need Sophos Central AD Sync in place for it too work but i found it definitely helped having that in place to start with.  It mean i was pretty sure i had my UPN's setup right.

But congrats, on persevering.

Hello Paul Digby and Michal Bartos,

maybe I know where could be the problem with your Authentication. We have verified that sAMAccountName and UPN in Microsoft Active Directory have to be identical to make a login and  Authentication successful.

Could you please check in your Microsoft Active Directory in User properties  - Attribute Editor. Should be enabled Advanced Features in View submenu and in the Attribute Editor two Filters - "Show only attributes that have values" and "Show only writtable attributes". At the first screen are the sAMAccountName and the UPN the same and an Authentication is successful. At the second screen are the sAMAccountName and the UPN different and an Authentication is unsuccessful.

Thank you in advance and regards

alda

Hello Paul Digby and Michal Bartos,

maybe I know where could be the problem with your Authentication. We have verified that sAMAccountName and UPN in Microsoft Active Directory have to be identical to make a login and  Authentication successful.

Could you please check in your Microsoft Active Directory in User properties  - Attribute Editor. Should be enabled Advanced Features in View submenu and in the Attribute Editor two Filters - "Show only attributes that have values" and "Show only writtable attributes". At the first screen are the sAMAccountName and the UPN the same and an Authentication is successful. At the second screen are the sAMAccountName and the UPN different and an Authentication is unsuccessful.

Thank you in advance and regards

alda

For me, this is working now, I believe after re-installation of Endpoint.

I can confirm that sAMAccountName is the same as UPN as you show in image above on the left. So my experience does not confirm your suspicion, but I think that you are correct.

Hello,

My sAMAccountName and username part of UPN are identical.

I've found out, our problem is with the suffix part of UPN, because we have two.

Thanks.