Hi We are running a centralized TACACS+ Infrastructure, which we use for admin login to our customer network devices. This works perfect for Sophos UTMs, Cisco ASA, Cisco Switches, routers and almost all TACACS+ capable devices but not with Sophos XG. On the XG we've added the TACACS+ Server, tested the connection and set the administator authentication methods, so that it authenticates user against the TACACS Servers. The problem is, that the XG prevents unknown TACACS+ user from login to the Webadmin, although it does reach out to the TACACS+ server and a permit is sent back. After troubleshooting I found out, that the problem is because if the user connects for first time to the Webadmin it only has "user privileged" and thus is not allowed to login, nor is locally created. The only way to achieve admin login via TACACS+ is: Login via User Portal with TACACS+ Credentials, so that the user is created locally Manually assign Administrator Profile to the TACACS+ user Manually set User Type to Adminstrator unfortunately this is not very scaleable and very undynamic. On the UTM as soon as you add external TACACS+ Server there is a Group object "TACACS+ User" which you can directly link to Webdmin Login, this way TACACS User don't need to be created on the firewall first, only if they need additional services like sslvpn etc. I totally understand the the XG has a different approach in the way how it treats user, roles and group and that is good, but it would be nice to have to ability to somehow have tacacs user login directly to the webadmin. Eg: Ability to create a group for tacacs user and automatically assign admin privileges to new tacacs user Ablity to pre create "TACACS+" Type Users via CSV Import or SFM. Btw. As far as i can tell, the same issue happens with Radius open for any comments. Cheers

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TACACS Authentication - Webadmin Login limitations

We are running a centralized TACACS+ Infrastructure, which we use for admin login to our customer network devices.

This works perfect for Sophos UTMs, Cisco ASA, Cisco Switches, routers and almost all TACACS+ capable devices but not with Sophos XG.

On the XG we've added the TACACS+ Server, tested the connection and set the administator authentication methods, so that it authenticates user against the TACACS Servers.

The problem is, that the XG prevents unknown TACACS+ user from login to the Webadmin, although it does reach out to the TACACS+ server and a permit is sent back.

After troubleshooting I found out, that the problem is because if the user connects for first time to the Webadmin it only has "user privileged" and thus is not allowed to login, nor is locally created.

The only way to achieve admin login via TACACS+ is:

Login via User Portal with TACACS+ Credentials, so that the user is created locally
Manually assign Administrator Profile to the TACACS+ user
Manually set User Type to Adminstrator

unfortunately this is not very scaleable and very undynamic.

On the UTM as soon as you add external TACACS+ Server there is a Group object "TACACS+ User" which you can directly link to Webdmin Login, this way TACACS User don't need to be created on the firewall first, only if they need additional services like sslvpn etc.

I totally understand the the XG has a different approach in the way how it treats user, roles and group and that is good, but it would be nice to have to ability to somehow have tacacs user login directly to the webadmin. Eg:

Ability to create a group for tacacs user and automatically assign admin privileges to new tacacs user
Ablity to pre create "TACACS+" Type Users via CSV Import or SFM.

Btw. As far as i can tell, the same issue happens with Radius

open for any comments.

Cheers

This thread was automatically locked due to age.

Parents

0 Aditya Patel over 6 years ago

Hello Samuel,

Unfortunately, the behavior is to get the local user/profile created and assign that to the administrator role. Now if you have predefined administrator login i.e. helpdesk@sysadmin.com etc you can upload the list using excel sheet or create a user manually and assign the role so that the user would not experience the issue for the first time(this may have an isolated user not associated with ADS).

Secondly, you can ask them to open <LAN IP of XG:8090> and a captive portal will pop up. Ask them to enter the credentials and when authenticated the user profile is now available on XG.

We would, however, encourage you to open a feature request for the same and please explain the scenario with the reason for this feature at https://ideas.sophos.com/forums/330219-xg-firewall
Cancel
Vote Up 0 Vote Down

Cancel
0 Samuel Heinrich over 6 years ago in reply to Aditya Patel

Hi Aditya

thank you for your answer.

The point here is, that you can not create "backend authenticated" user manually nor via excel. You can only create "locally authenticated" users.

But if you create an user manually or via excel, then it will never authenticate against another backend.

The problem here is, that the XG lacks the setting to "authenticate this user remote". The only way to create "backend User" is, if you let them loggin via User portal once.

I also tried to export a TACACS User via CSV but it only supports export of local user, not even AD synced users show up.

"Secondly you can ask them to open <LAN IP of XG:8090> and a captive portal will pop up. Ask them to enter the credentails and when authenticated the user profile is now available on XG."

this is more or less the same as the userportal and requires manual steps after the user is created. But since we use it for remote admin login, the captive portal is no option.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Samuel Heinrich over 6 years ago in reply to Aditya Patel

Hi Aditya

thank you for your answer.

The point here is, that you can not create "backend authenticated" user manually nor via excel. You can only create "locally authenticated" users.

But if you create an user manually or via excel, then it will never authenticate against another backend.

The problem here is, that the XG lacks the setting to "authenticate this user remote". The only way to create "backend User" is, if you let them loggin via User portal once.

I also tried to export a TACACS User via CSV but it only supports export of local user, not even AD synced users show up.

"Secondly you can ask them to open <LAN IP of XG:8090> and a captive portal will pop up. Ask them to enter the credentails and when authenticated the user profile is now available on XG."

this is more or less the same as the userportal and requires manual steps after the user is created. But since we use it for remote admin login, the captive portal is no option.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data