Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 2274 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Questions about Azure MFA / NPS and group membership

Jonnie

Hey together, 

I've configured our NPS according the tutorial from twister5800 https://community.sophos.com/xg-firewall/f/recommended-reads/122575/sophos-xg-using-azure-mfa-for-ssl-vpn-and-user-portal/451795#451795 . 

The general authentication is working but I have several configurations issues. Maybe somebody can assist.

- The authentication is only working if I switch to "Accept user without confirming their credentials" instead of "Authenticate requests on this Server". Otherwise the autentication fails. The NPS is installed at a domain controller. 

- How can I control the group membership of the users? If I login at the user portal, they user is dropped to the default group at XG.  

- If I login with the upn at the user portal, the user is created without the domain ending. Like max.mustermann instead of max.mustermann@company. 

This is not happening if I login with he the regular active directory login,where the user is created with full upn. 

Happy for any support.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jonnie,

    First of all you need to go back an enable this:

    "Authenticate requests on this Server"

    Then I would advise to go through the whole guide again, and add special attention to each and every setting :-)

    Then if it's still not working, share some screenshots form the XG and NPS :-)

    I presume that you have tested RADIUS from XG is working?

    regadring the group, add it here:

    Are the users loginname in your AD also the full UPN or something like .local??

    Let's take it from here :-)

  • 0 in reply to twister5800

    Hey Martin, 

    glad to hear from you! Slight smile  

    I switch the authentication method back to the default value and now I can login. Can't explain why it is now possible. I had read your tutorial the weekend more than once. But the first login with a user which has never seen by the xg, needs two login attempts? Is this intentional?

    Beside that, the user has set it's public email adress at AD but the XG use only name.surname for the username. 

    Yes I already matched the network policy to a group at AD, but how can I match the user and group at XG ? We have several groups at the XG which belongs the different permission sets.  

  • 0 in reply to Jonnie

    Hi,

    Group attribute is wrong, try with "SF_AUTH" and not "SFAuth" :-)

  • 0 in reply to twister5800

    Also you can go with more than 15 secs, have seen other places where 30 secs have better impact :-)

  • 0 in reply to twister5800

    For what does "SF_AUTH" stands for?

    From my understanding the group attribute name is to move move the user to their corresponding group. As described in this manual: www.sonicwall.com/.../

    In other words, how does the XG know in which group the user should appear, except the default group? 

    I'm able to login with the user but XG only creates a user with name.surname. Not with the UPN? 

    Update

    As I thought you have to set the group attribute name to "Filter-Id". After that you can add an aditional attribute at the NPS, which told the RADIUS Client (XG) in which group the user should be pushed. 

    The Question is, should I use local groups at the XG or imported groups from AD? Does this matter? 

    Regards,

    Jonny

  • 0 in reply to Jonnie

    Got it from here:

    https://support.sophos.com/support/s/article/KB-000036916?language=en_US

    Add the Filter-Id attribute value needed to meet your network security requirements. In this example,  the Filter-Id value is set to SF_AUTH which is used in Group Name Attribute when adding an external RADIUS server in Sophos Firewall.

    Regarding MFA it does not know which group.

    From my understanding is's the attribute which XG uses to authenticator through radius. With UTM it's "ssl"

  • 0 in reply to twister5800

    Ah ok I understand. I think it is a little bit misleading from the documentation, because it looks like it's a persistent attribute. It is actually the desired group name at the XG which the user should belongs to. 

    You need only to add the group name from AD to the network policy and you have to ensure the the same group name is available at the xg.  It is running fine with local groups and also with groups from AD. 

    UPDATE:

    Checked vpn login with the mentioned configuration and MFA. It's running fine. Grin  

    The only issue is the missing UPN at the users object. I will investigate at little bit further. 

Reply
  • 0 in reply to twister5800

    Ah ok I understand. I think it is a little bit misleading from the documentation, because it looks like it's a persistent attribute. It is actually the desired group name at the XG which the user should belongs to. 

    You need only to add the group name from AD to the network policy and you have to ensure the the same group name is available at the xg.  It is running fine with local groups and also with groups from AD. 

    UPDATE:

    Checked vpn login with the mentioned configuration and MFA. It's running fine. Grin  

    The only issue is the missing UPN at the users object. I will investigate at little bit further. 

Children
No Data