Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 2233 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Group Membership and Firewall Rules

Ben@Network

Hello Community,

I am trying to create group-based rules for the firewall. I have a user who is a member of 2 Active Directory groups, say "VPN-All" and "VPN-Admin". The user dials in via L2TP-VPN and is authenticated against a Windows NPS server with a RADIUS authentication. This works and the user is automatically created as an object on the firewall. The groups on the firewall were imported from the Active Directory and sorted in this way:

  • VPN-All
  • VPN admin
  • open group

After the user has logged in via L2TP-VPN, he is first of all a member of the "Open Group". If I add the user to the group "VPN-All" manually, all rules defined for the group "VPN-All" will apply. However, no rule for the group "VPN-Admin" will take effect.
This results in 2 questions:
1. How can a user be automatically added to a group? I have a larger three-digit number of users.
2. how can I deal with membership of multiple groups on the Sophos XG

Thank you,

Ben



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Ben@Network,

    When users authenticates for the first time against the firewall, they will be added to the groups imported from your AD. 

    The group membership behavior is explained in this KB Article :Sophos Firewall: Group membership behavior with Active Directory

    Thanks,

  • 0 in reply to FormerMember

    Let me spend some words on this.

     

    There are the "Primary Group" Behavior in XG, which shows your the Primary Group. 

    But actually XG knows all Groups in the Backend. Therefore if you select a Group in Your Firewall Rule, which seems to be empty in XG, XG will simply use this Group for Firewall Matching. 

    Actually there is no way to show all Groups right now. 

  • 0 in reply to LuCar Toni

    Hello H_Patel, Hello LuCar Toni,

    Many thanks for your hints.

    I did some testing and found out this behavior. I have imported the groups into the firewall (they are not primary AD groups) and the user is not created in the firewall.

    - First L2TP-VPN dialup with RADIUS: User is created in the group "Open Group".
    - First dial-in via Capative Portal: User is created and is in the Active Directory group "VPN-All".
    - If the user is not a direct member of the group (we have AD groups in AD groups) the user will also be sorted into the "Open Group" using the Capative Portal.

    This leads to two questions:
    - How do I get my users into the right group after RADIUS authentication?
    - Is it planned for the future that a user can be a member of several groups? (Like the good old UTM)?

    Thanks,

    Ben

  • 0 in reply to Ben@Network

    A User with a Radius authentication could be different to the user via AD. That will cause likely your issue to begin with.

     

    Again: If you have only AD Servers (no radius) the Client is in multiple groups and this works without any problem like UTM. UTM shows only the current group, not all groups of all users.

  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    You're right, if I build the authentication completely on AD, everything works as described in the KB article. The user will be sorted into the first group and memberships to other groups can be used in firewall rules. But: This only works if I set the authentication to "PAP" in the Windows client and send the passwords around unencrypted.

    When I switch back to RADIUS and CHAP v2, a 2nd user is created on the firewall. The AD user will be created as 'user@dom' and the RADIUS user as 'user'. With the 'user' my firewall rules on the groups will no longer work.

    Do you change the authentication protocols for AD authentication to CHAP v2?

    Would it be helpful to look at the Sophos Connect Client to address this issue?

    Thanks,

    Ben