Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2365 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD password change in XG VPN client

Dan Williams

Hi

We are getting lots of negative feedback after deploying Sophos XG firewalls in place of Cisco ASAs as the VPN client doesnt seem to support AD password change prompts when using RADIUS backend for auth.

Is there any way in which AD password expiries can be passed through to a remote worker over the VPN from an XG? or are there any plans to bring this in as a feature?? 

This is getting to the point where we wont be able to sell them as the amount of remote working now due to Covid is causing daily support issues for our customers with AD passwords expiring. Some are even now continuing to use Cisco ASAs just to use the AnyConnect client to reset an AD user password.

Surely if Cisco have been able to provide this feature for years, why cant this work on the XG??

(any other ideas to get around this problem much appreciated)

Thanks
Dan



Edited TAGs
[edited by: emmosophos at 5:12 PM (GMT -7) on 23 Sep 2022]
Parents
  • 0

    You mean the "Build VPN before login" Feature (aka. msgina hack)? This is a "feature" which uses a binary in windows to be able to build up the VPN before the login mask actually logged in the user. 

    This is actually not supported: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11195724-ssl-vpn-client-that-logs-on-before-windows 

    The user should be able to change their password, while connect, as the windows protocol takes care of this process. 

    But if the password expires and he needs to change this password, the VPN Client does not have the capabilities to change this. Therefore the old password is likely not usable, and he cannot change this password - Correct? 

    Maybe you need to think about a new strategy to change the passwords before they expire. There are multiple roads to go: https://newsignature.com/articles/password-expiration-nightmare-vpn-users-solved/ etc. 

    Azure AD has another approach to this issue. 

  • 0 in reply to LuCar Toni

    Hi.

    So no not necessarily the MSGINA VPN before login option, but simply that AnyConnect will warn you of a password change due and then allow you to change it from within the client at the point you connect. Its a simple and very effective solution that Cisco have support for a long time on the ASA.

    Cisco AnyConnect - Allow Domain Password Change via LDAP | PeteNetLive

    Yes there are workarounds or other technologies, but this adds unnecessary complication to what should be as simple as;

    user logins to workstation with cached creds, user launches AnyConnect, AnyConnect warns of password change required,

    user changes password and completes VPN connection, user locks and unlocks workstation, everything now in sync.

    Currently we have the issue that a user will attempt multiple times to connect to Sophos VPN and this eventually causes account lockout due to an expired password that they arent aware of, then a call to IT is required to resolve the issue.

    Yes you could use something like AzureAD password writeback but this requires AD Connect and ideally MFA on all cloud accounts to prevent hackers using breached AzureAD accounts to penetrate the on-premise network (i appreciate MFA is best practice anyway). Or use Identity manager as you suggested, Again its added complexity for something that should be simple, and for small businesses they arent going to accept that we not only have the cost to replace the firewall but now the added cost of everything else just to get back a feature that they have always had with AnyConnect out of the box at no extra cost.

    Its just frustrating that a simple feature cant be added in to the VPN client solution to prevent the need for all the "workarounds".

  • 0 in reply to Dan Williams

    Actually that is not easy to perform at all. Its not as simple as you might think. Because this would actually require you to allow to change something from XG via LDAP. And Sophos is not doing this at all with any product. We never change anything on the AD. There are couple of reasons behind this approach. 

    So this sounds "simple" in the first approach to "Simply push something to AD", but there is a huge impact on this. 

Reply
  • 0 in reply to Dan Williams

    Actually that is not easy to perform at all. Its not as simple as you might think. Because this would actually require you to allow to change something from XG via LDAP. And Sophos is not doing this at all with any product. We never change anything on the AD. There are couple of reasons behind this approach. 

    So this sounds "simple" in the first approach to "Simply push something to AD", but there is a huge impact on this. 

Children
No Data