using AD users in clientless access or other rules when they never logged in before

Hi GernotMeyer 

You can import users in Sophos XG - https://community.sophos.com/kb/en-us/123045 as per your scenario, the user should be available in Sophos XG database in order to use it in the firewall rule.

You can use STA authentication to Integrate the AD server with the XG firewall.

https://community.sophos.com/kb/en-us/123155

community.sophos.com/.../123156

Keyur,

thanks for answer. These are the right hints.

What happens to password? The AD password has no more effect when setting it in Sophos or because AD Domain Controller are "first" in authentication methode the sophos PW is without effect?

Hi GernotMeyer 

If you integrate Ad server with the XG and change authentication method server priority to AD server and when the user tries to authenticate, the user has to use AD username and password. You can import OUs and Group to XG and users will automatically fall under the respective group as AD in XG - https://community.sophos.com/kb/en-us/123158.

If the user is manually created in the Sophos XG, then it will take setting according to the user profile.

Thanks for answer.

I tried around: Created a user in AD. Also created that user in Sophos and assigned it to the AD group (in Sophos).

You can login with the password set in Sophos until you used ONCE the password from AD. So you can login with both passwords.

Until the first login with the AD provided password the login with the sophos password is no more possible.

This works as designed?

Thanks for answer.

I tried around: Created a user in AD. Also created that user in Sophos and assigned it to the AD group (in Sophos).

You can login with the password set in Sophos until you used ONCE the password from AD. So you can login with both passwords.

Until the first login with the AD provided password the login with the sophos password is no more possible.

This works as designed?

So also that very usefull "preload" feature from UTM is (no more) available in XG. Right?

Hi GernotMeyer 

Basically there 2 approaches in user management.

Either you can create a manual user or use import feature by adding user and required attributes such as password and group.

You can integrate AD and use authentication when the user logs in by any method, it will create automatically in the Sophos XG but the user has to authenticate once but it is hassle-free to manage as you have AD in your network and you can import groups to XG firewall and you do not need to share the password to the user which is the case with manual creation.

Whatever server you have select in the list, Local or AD, precedence will set accordingly.