Questions about Azure MFA / NPS and group membership

Hi Jonnie,

First of all you need to go back an enable this:

"Authenticate requests on this Server"

Then I would advise to go through the whole guide again, and add special attention to each and every setting :-)

Then if it's still not working, share some screenshots form the XG and NPS :-)

I presume that you have tested RADIUS from XG is working?

regadring the group, add it here:

Are the users loginname in your AD also the full UPN or something like .local??

Let's take it from here :-)

Hey Martin, 

glad to hear from you!   

I switch the authentication method back to the default value and now I can login. Can't explain why it is now possible. I had read your tutorial the weekend more than once. But the first login with a user which has never seen by the xg, needs two login attempts? Is this intentional?

Beside that, the user has set it's public email adress at AD but the XG use only name.surname for the username. 

Yes I already matched the network policy to a group at AD, but how can I match the user and group at XG ? We have several groups at the XG which belongs the different permission sets.  

Hey Martin, 

glad to hear from you!   

I switch the authentication method back to the default value and now I can login. Can't explain why it is now possible. I had read your tutorial the weekend more than once. But the first login with a user which has never seen by the xg, needs two login attempts? Is this intentional?

Beside that, the user has set it's public email adress at AD but the XG use only name.surname for the username. 

Yes I already matched the network policy to a group at AD, but how can I match the user and group at XG ? We have several groups at the XG which belongs the different permission sets.  

Hi,

Group attribute is wrong, try with "SF_AUTH" and not "SFAuth" :-)

Also you can go with more than 15 secs, have seen other places where 30 secs have better impact :-)

For what does "SF_AUTH" stands for?

From my understanding the group attribute name is to move move the user to their corresponding group. As described in this manual: www.sonicwall.com/.../

In other words, how does the XG know in which group the user should appear, except the default group? 

I'm able to login with the user but XG only creates a user with name.surname. Not with the UPN? 

Update: 

As I thought you have to set the group attribute name to "Filter-Id". After that you can add an aditional attribute at the NPS, which told the RADIUS Client (XG) in which group the user should be pushed. 

The Question is, should I use local groups at the XG or imported groups from AD? Does this matter? 

Regards,

Jonny

Got it from here:

https://support.sophos.com/support/s/article/KB-000036916?language=en_US

Add the Filter-Id attribute value needed to meet your network security requirements. In this example,  the Filter-Id value is set to SF_AUTH which is used in Group Name Attribute when adding an external RADIUS server in Sophos Firewall.

Regarding MFA it does not know which group.

From my understanding is's the attribute which XG uses to authenticator through radius. With UTM it's "ssl"

Ah ok I understand. I think it is a little bit misleading from the documentation, because it looks like it's a persistent attribute. It is actually the desired group name at the XG which the user should belongs to. 

You need only to add the group name from AD to the network policy and you have to ensure the the same group name is available at the xg.  It is running fine with local groups and also with groups from AD. 

UPDATE:

Checked vpn login with the mentioned configuration and MFA. It's running fine.   

The only issue is the missing UPN at the users object. I will investigate at little bit further.