Sophos XG detect wrong user group

Hello

i have troubles with XG conected to multiple AD's, that is not reconized correctly the usersgroups, and put them in the default open group.

case #8896626 is opened since weeks without any construtive answer. from support...

It seems to be s bug of new OS. What version are you using?

Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD). 

So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

Which groups did you import on XG? 

Hi,

Each user belongs to 2 groups, the primary group Domain users and either one of three group: IT, Staff, Faculty. 

I just imported those 3 to AD. I didn't import Domain users group. 

hello LuCar Toni 

in my case, i have many AD's registered on the XG, with many groups imported for each.

in certain cases, for certain users, the group is not recognized and classify by the XG as open group, even if the user is only member of on group, correctly imported in the XG.

As i told you, case is dealt by level 3 since weeks without any news..

Well I think Sophos just put user in default group. In your case, it' Open group. 

Please do not mix two different issues in one Thread. 

First of all, did you actually order the Groups on XG? 

Second, could you please share a screenshot of one User and the group tab? 

Here you are:

Before it set default group is Staff group and it put me in Staff group. Then I changed default group to Faculty group and it put me in Faculty. So I do believe XG just put me in default group. 

Yep, XG put the user in default group if it does not find any match, this is totally logical.

Exept that in our cases, there is a group, imported on the XG, that it does not recognize...

Ok, both of you need to dig deeper into this issue.

You need to create a tcpdump. 

In this tcpdump, there should be a packet from DC, which contains all groups. 

https://community.sophos.com/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

Create a Dump on Port 389 (Please verify, you do not use encrypted AD - If so, please disable / change to Port 389 and reproduce this issue).

Start the dump into a file, authenticate via user Portal / STAS etc and download the Dump. 

LuCar Toni

ok done that, may i PM you the result ?

seems the LDAP respond without any group

You should not send anybody such Logs in the Internet. Instead Support should analyze those Logs.

They contain sensitive data! (Passwords etc.).

If LDAP does not respond with groups, there you go. Seems like your AD has an issue in the setup process. 

Basically XG performs a query and uses the results to actually detimate the correct group. 

You should not send anybody such Logs in the Internet. Instead Support should analyze those Logs.

They contain sensitive data! (Passwords etc.).

If LDAP does not respond with groups, there you go. Seems like your AD has an issue in the setup process. 

Basically XG performs a query and uses the results to actually detimate the correct group. 

Sorry about my previous answer, i hadn't tipe the option -s0 so the capture was truncated.

now i have the full response from the LDAP server, and i can see the right group on it, which is imported on the XG (and unique) !

My XG also received the group attribute from AD. Some users are associated to correct group, some to default group. 

Hello The Do LuCar Toni 

seems that we faced the same bug... have you open a case ?

how many LDAP serveur have you registered ?