Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 29 subscribers
  • Views 10595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG detect wrong user group

The Do

Hi everyone,

I'm using SFOS 17.5.7 MR7. I having an issue about user group.
I have Active directory server as a authentication server. I have some group for user where i can apply policy for each. 
This was running fine. But recently I notice some users are associated to wrong group.
For example I'm an IT, I supposed to be in IT group, but Sophos XG put me in Staff group, which is a default group I set in Authentication server list. 
And the most weirdest thing is that although XG put me in Staff group, it applies the IT policy for me. In IT policy, I only put IT group in Identity. 

I checked all the configuration following the KB https://community.sophos.com/kb/en-us/123158 and https://community.sophos.com/kb/en-us/123161 and I'm quite sure I did right.

But I have no idea what's wrong with my XG. Could you please advice?



This thread was automatically locked due to age.
Parents
  • 0

    Hello

    i have troubles with XG conected to multiple AD's, that is not reconized correctly the usersgroups, and put them in the default open group.

    case #8896626 is opened since weeks without any construtive answer. from support...

  • 0 in reply to guillaume bottollier

    It seems to be s bug of new OS. What version are you using?

  • 0 in reply to The Do

    Hello

    i am using v17.5.7, the most stable firmware ever released...

  • 0 in reply to guillaume bottollier

    As previously said, this is not a bug. It is a feature. 

    XG reads all groups (created on XG) from the AD, stores this information in the Backend and uses this for Firewall and Proxy.

    So called, if you have a User in IT and User for example, and you create a firewall Rule with Group IT, this Firewall Rule will be used. 

    Firewall Rule uses "first match". 

    There is a Bug in Firewall Policy Tester, which does not deflect this behavior. The Firewall Policy Tester only uses the Primary Group - So this will give you a wrong output.

    But the firewall Rule will work properly. 

     

    The Question is, what do you want to archive? Such Setups with multiple groups in it can be very complex. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I just realise one more weird thing. I set traffic shaping for IT group is unlimited. The fw put me in staff group, which supposed to have 8Mbps. When I test the bandwidth, it’s unlimited (???). But when i show fw log, it shows i’m applied the rule for Staff (based on the Rule ID). I’m really really so confused.

  • 0 in reply to The Do

    Firewall Traffic Shaping will be above the direct User / Group Shaping.

    So if you have a User ,which is in both Groups, but you have two rules (1. IT 2. Staff), then the IT Rule will hit and the Traffic Shaping of IT will take place. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I’m a member of only IT group in AD.

  • 0 in reply to The Do

    Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD). 

     

    So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

    Which groups did you import on XG? 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to The Do

    Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD). 

     

    So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

    Which groups did you import on XG? 

    __________________________________________________________________________________________________________________

Children
Cookie Information Banner