Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1804 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Radius Authentication

Sophos User3446

Hi,

We have a new Sophos XG and can't get the Sophos Connect VPN to work with Radius. Support have been looking at this for around 2 weeks and no luck yet so I'm reaching out to see if anyone might have any ideas.

We have Radius configured and passing the tests fine but when trying to connect using an AD username and password on Sophos Connect it doesn't accept it with "User Authentication Failed"

If we have PAP turned off on the NPS server we get a message in event viewer saying:

Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

If we turn PAP on then we get nothing in event viewer. No matter what auth settings we use in NPS we get the following messaging on the firewall:

"User {username} failed to login to VPN through RADIUS authentication mechanism because of access not allowed"

We have tried all this with Active Directory authentication and get the exact same results.

Lastly, any AD user can log into the XG User Portal with no issues. This then adds them as a local user account on the firewall and they can then use Sophos Connect. Ideally, we don't have to have to get all our users to log into the portal first before being able to use the VPN 

We are running firmware: SFOS 18.0.3 MR-3

Cheers



This thread was automatically locked due to age.
Parents
  • 0

    Hey mate, can you please provide your NPS authentication configuration.

  • 0 in reply to Moudy Abdelrahman

    I believe we have found the issue now. It seems we need to add the user into firewall via the Sophos central heart beat or the user portal before radius will work.

    Annoyingly neither are an option at the moment - all users are working from home due to the current situation so the heart beat doesn't work and we don't really want to open the up the portal out on the internet and ask hundreds of users to log in before they will be allowed access to VPN.

    The only working around we have at the moment is to use STAS to pull the users through and keep them on authenticating on the old firewall/vpn until all users appear.

    It's far from ideal but hopefully it will work!

Reply
  • 0 in reply to Moudy Abdelrahman

    I believe we have found the issue now. It seems we need to add the user into firewall via the Sophos central heart beat or the user portal before radius will work.

    Annoyingly neither are an option at the moment - all users are working from home due to the current situation so the heart beat doesn't work and we don't really want to open the up the portal out on the internet and ask hundreds of users to log in before they will be allowed access to VPN.

    The only working around we have at the moment is to use STAS to pull the users through and keep them on authenticating on the old firewall/vpn until all users appear.

    It's far from ideal but hopefully it will work!

Children