Duo Integration with Sophos XG for 2FA

Thanks JasP, thanks Lucar Toni. I believe the issue I am facing from what I have read from you both is having Duo act as a radius server, and Sophos XG not been able to send attributes to it. I'd integrate Duo as an LDAP and not a Radius Server to Sophos and see if that works well. I am trying to avoid having an NPS as radius server except if there is no other way.

I'd definitely update soon guys.

Thanks again.

Hi Tobi Babatunde,

I would check if OTP is configured for SSL VPN on the XG firewall. If you are going to use Duo for OTP, disable OTP from XG for SSL VPN. Navigate to Authentication > One-time password > Settings > Enable OTP for facilities. 

I have recently worked on an issue similar to yours, and it was caused by having OTP selected for the service on the firewall. 

Thanks,

Thanks H_Patel.

I am noting that also, and would revert back.

Thanks Lucar Toni, adding the user to the VPN group was all that was needed.

Many thanks for your help.

If you have time, there is a way to contribute back to us, and write a recommend read for others! 

FloSupport Maybe we can assist to write up the DUO Integration? 

I'd be glad to do that. Please let me know how and when?

Hi Tobi Babatunde,

I'm following up with you via PM on this. 

Thank you LuCar Toni for your suggestion!

Thanks,

Did this write up ever happen? At the Sophos end, did you setup the DUO Proxy as an LDAP server or an AD server?

I can get DUO proxy to work as an AD server in Sophos but not as an LDAP server. Unfortunately I want to retain my principal AD server setup and add DUO Proxy as an additional authentication server (using a different port). Sophos won't allow me to have two AD servers on the same IP so I need to run the DUO Proxy as an LDAP server in Sophos and I can't get it to work.

I'll start a new post with the issue I'm facing but before I did I wondered if this ever got written up so I can have a look first.

Hi,

I've had that problem to, its solvable.

First Duo Authentication Proxy = Radius server and AD Client, so al your AD request could go through Duo AP. You don't need NPS or a AD server in the firewall. Groups are something more difficult, this because Duo AP does not do groups. And the groups from the AD are not respected. Basically you need to choose.

When you choose Duo AP, then under groups, make your VPN Users group and give the group policy access to vpn. In Authentications -> Services Under Firewall Authentication you can set a default group, make this your new VPN users group.

Now if an unknow or new user to the firewall logs on, they will be placed in that group, and vpn access is possible, it then goes through the proxy and ad to sign the user on.

This has a disadvantage, all user trying to logon will be placed in this group. But authentication based on AD groups can be managed in the Dou Admin portal, if you have the paid option.

Option 2: you can add this line to [ad_client] section of your Dou PA config file: security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com of course correcting it to the vpn user group in the AD, this wil solve the lack of groups sync in the Radius/Duo setup.

As LuCar Toni sad, you can not mix Radius Authentication and AD Groups, they have different paths to the same data, but will be treated ad different sources.

I've just posted worked examples of 3 ways to setup XG 18 with DUO 2FA - https://community.sophos.com/xg-firewall/f/discussions/124501/3-ways-to-setup-xg-18-with-duo-2fa