Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 8731 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duo Integration with Sophos XG for 2FA

Tobi Babatunde

Hello,

I have integrated Cisco Duo with Sophos XG (running firmware 18.01), but have issues with SSL VPN. My AD is my Primary authentication method, while Duo is my second factor authentication. When I test connection, all works well.

I have changed the SSL authentication method to use Duo first, when I try to VPN, I do receive a PUSH which I approve, but still fails (wrong username or something like that). I see it on Duo as successful, but still would not work.

Has anyone done this integration recently on firmware 18 now that we can set timeout values.

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I've had that problem to, its solvable.

    First Duo Authentication Proxy = Radius server and AD Client, so al your AD request could go through Duo AP. You don't need NPS or a AD server in the firewall. Groups are something more difficult, this because Duo AP does not do groups. And the groups from the AD are not respected. Basically you need to choose.

    When you choose Duo AP, then under groups, make your VPN Users group and give the group policy access to vpn. In Authentications -> Services Under Firewall Authentication you can set a default group, make this your new VPN users group.

    Now if an unknow or new user to the firewall logs on, they will be placed in that group, and vpn access is possible, it then goes through the proxy and ad to sign the user on.

    This has a disadvantage, all user trying to logon will be placed in this group. But authentication based on AD groups can be managed in the Dou Admin portal, if you have the paid option.

    Option 2: you can add this line to [ad_client] section of your Dou PA config file: security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com of course correcting it to the vpn user group in the AD, this wil solve the lack of groups sync in the Radius/Duo setup.

    As  sad, you can not mix Radius Authentication and AD Groups, they have different paths to the same data, but will be treated ad different sources.

Reply
  • 0

    Hi,

    I've had that problem to, its solvable.

    First Duo Authentication Proxy = Radius server and AD Client, so al your AD request could go through Duo AP. You don't need NPS or a AD server in the firewall. Groups are something more difficult, this because Duo AP does not do groups. And the groups from the AD are not respected. Basically you need to choose.

    When you choose Duo AP, then under groups, make your VPN Users group and give the group policy access to vpn. In Authentications -> Services Under Firewall Authentication you can set a default group, make this your new VPN users group.

    Now if an unknow or new user to the firewall logs on, they will be placed in that group, and vpn access is possible, it then goes through the proxy and ad to sign the user on.

    This has a disadvantage, all user trying to logon will be placed in this group. But authentication based on AD groups can be managed in the Dou Admin portal, if you have the paid option.

    Option 2: you can add this line to [ad_client] section of your Dou PA config file: security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com of course correcting it to the vpn user group in the AD, this wil solve the lack of groups sync in the Radius/Duo setup.

    As  sad, you can not mix Radius Authentication and AD Groups, they have different paths to the same data, but will be treated ad different sources.

Children
No Data