TACACS Authentication - Webadmin Login limitations

Hello Samuel,

Unfortunately, the behavior is to get the local user/profile created and assign that to the administrator role. Now if you have predefined administrator login i.e. helpdesk@sysadmin.com etc you can upload the list using excel sheet or create a user manually and assign the role so that the user would not experience the issue for the first time(this may have an isolated user not associated with ADS).

Secondly, you can ask them to open <LAN IP of XG:8090> and a captive portal will pop up. Ask them to enter the credentials and when authenticated the user profile is now available on XG.

We would, however, encourage you to open a feature request for the same and please explain the scenario with the reason for this feature at https://ideas.sophos.com/forums/330219-xg-firewall

Hi Aditya

I just want to update this thread which some background information. Today I found out, that this feature is already implemented in Sophos SFM, as you can see in the attached image.

Since there is already code-base for this feature, I can imagine that it's not big of a deal to port this over to XG firewalls. 

It's really a pain in the neck if you can not pre configure Admin if any type (AD, tacacs, radius). I'm currently staging 74 firewalls and the only way to achieve this, is by restore them from a backup which includes those AD users....   But there is no way to add additional Admin users later, even not by provisioning them via SFM or Rest API

Hi,

you might want to upgrade to v17.5.8 mr-8 to see if any additional features have been added.

Ian

Hi Ian

Unfortunately, this function was not added in 17.5.8

I tested with HW-17.5.8_MR-8-539.iso, which i received directly from sophos.

cheers 

fun fact, i reverse engineered the difference between local users and external users in the XG psql database.

The only visible difference is literally the password, which contains a hash for localusers and the "username" for external users.

Yes, Password = Username for external Users.

luckily you can not login with this password, after the user was authenticated against an external authentication server once. 

furthermore, I found out, that you can pre-create Admin users and set any password you want, like "ihferoiç"*ç"FEçfe4g4etç".  The user will automatically convert to "external" after it successfully authenticates the first time with his external password (AD, Tacacs) against an external authentication server and the local password won't work afterward.

fun fact, i reverse engineered the difference between local users and external users in the XG psql database.

The only visible difference is literally the password, which contains a hash for localusers and the "username" for external users.

Yes, Password = Username for external Users.

luckily you can not login with this password, after the user was authenticated against an external authentication server once. 

furthermore, I found out, that you can pre-create Admin users and set any password you want, like "ihferoiç"*ç"FEçfe4g4etç".  The user will automatically convert to "external" after it successfully authenticates the first time with his external password (AD, Tacacs) against an external authentication server and the local password won't work afterward.

So I managed to get the Sophos XG (FW 17.5.9 MR9) Webadmin login page to work with Tacacs+ using tacgui application on ubuntu 18.04.

to make it work I just simply create a sub-interface on sophos within the same network as the Tacacs+ server, and add the Sophos sub-interface IP Address as the client device on Tacacs+.

or you can do packet sniffing on Tacacs server to check which IP Address is requesting the auth mechanism, then you can add that IP into the client device list on Tacacs+.

lastly, make sure to drag the tacacs+ server on top of local on Authentication => Services to make sure the auth first priority is using tacacs+.

this is how it looks on sophos log:

"User **** logged in successfully to Web Admin Console through TACACS+ authentication mechanism"

Hi Randy

Thanks for detailed solution guide. makes sense, that the sophos takes the (sub-)interface, which is in the same subnet as the server, since there is no option on the firewall to configure the source Interface. I assume it will always take the outgoing interfaced, which is the closest to the destionation as source.

just for clarification. In our case it wasn't a problem to get tacacs to work, we literally use tacacs for thousands of network devices and for almost a hundred UTM/XG firewalls.  The problem is, that unlike it was on UTM,  you have to create the users first on the XG before they can login to the admin webinterface.

although there is a mechanism to automatically create the users, when they login to the user portal, the XG will assign them user role. It needs an admin to change the role from user to admin.   

It is not really a problem related to tacacs, it's more of limitation of how the firewall handlest external user authentication.  Same problem with AD/ldap/radius.

Hi Randy,

Would this ^^ also work if the tacgui is located at the remote end of VPN tunnel ?

if so, Please can you suggest the steps?

my tacacs+ server ip is 10.40.40.4 and sophos xg is having a IPsec tunnel interface with Cisco CSR. 

A windows client on LAN side of sophos is able to ssh to Cisco CSR authenticating from tacacs+ . I'm unsure how to get sophos authenticated through tacacs+.

appreciate your support in this please.

Thanks.

Hi Samuel,

Is my understanding correct that for XG to work with tacacs+ , a user needs to be created on XG FW as well?

In my previous reply to Randy's post, I wasn't able to get XG to communicate with tacacs+ however once that was sorted, I see the tacacs+ authentication log says user pap login succeeded but on FW weblogin it never authenticates to login.

I'm testing XG and Tacacs+ on latest version of XG v18 build 354 and seems this issue is still not fixed :( 

I hope Sophos gives some consideration to this function.

Thanks.

Z