This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

using AD users in clientless access or other rules when they never logged in before

GernotMeyer over 5 years ago

Hi,

XG V17.5: How can I use an AD user in a rule when that user never logged in before?

I need to create that user manually in XG?

What's about password sync then?

any hints?

Best Gernot

This thread was automatically locked due to age.

0 Keyur over 5 years ago

Hi GernotMeyer

You can import users in Sophos XG - https://community.sophos.com/kb/en-us/123045 as per your scenario, the user should be available in Sophos XG database in order to use it in the firewall rule.

You can use STA authentication to Integrate the AD server with the XG firewall.

https://community.sophos.com/kb/en-us/123155

community.sophos.com/.../123156
Cancel
Vote Up 0 Vote Down

Cancel
0 GernotMeyer over 5 years ago in reply to Keyur

Keyur,

thanks for answer. These are the right hints.

What happens to password? The AD password has no more effect when setting it in Sophos or because AD Domain Controller are "first" in authentication methode the sophos PW is without effect?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 5 years ago in reply to GernotMeyer

Hi GernotMeyer

If you integrate Ad server with the XG and change authentication method server priority to AD server and when the user tries to authenticate, the user has to use AD username and password. You can import OUs and Group to XG and users will automatically fall under the respective group as AD in XG - https://community.sophos.com/kb/en-us/123158.

If the user is manually created in the Sophos XG, then it will take setting according to the user profile.
Cancel
Vote Up 0 Vote Down

Cancel
0 GernotMeyer over 5 years ago in reply to Keyur

Thanks for answer.

I tried around: Created a user in AD. Also created that user in Sophos and assigned it to the AD group (in Sophos).

You can login with the password set in Sophos until you used ONCE the password from AD. So you can login with both passwords.

Until the first login with the AD provided password the login with the sophos password is no more possible.

This works as designed?
Cancel
Vote Up 0 Vote Down

Cancel
0 GernotMeyer over 5 years ago in reply to GernotMeyer

So also that very usefull "preload" feature from UTM is (no more) available in XG. Right?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 5 years ago in reply to GernotMeyer

Hi GernotMeyer

Basically there 2 approaches in user management.

Either you can create a manual user or use import feature by adding user and required attributes such as password and group.

You can integrate AD and use authentication when the user logs in by any method, it will create automatically in the Sophos XG but the user has to authenticate once but it is hassle-free to manage as you have AD in your network and you can import groups to XG firewall and you do not need to share the password to the user which is the case with manual creation.

Whatever server you have select in the list, Local or AD, precedence will set accordingly.
Cancel
Vote Up 0 Vote Down

Cancel