OTP with Active Directory Groups and Backend Memebership

Question

Hi everyone, 
 this is my first time here, so be patient with me :) 
 Sophos Support and our Partner couldn't help me with my questions and pointed me to the Community. I'm certain one might helpt me. 
 
 I would like to implement OTP on an XG Firewall (SFOS 18MR5). I don't want to force it on everybody, but rather members of a group synced from AD. 
 Is that even possible? 
 Documentation list the following as backend-membership compatible: 
 Supports all Backend groups: Firewall policies, TLS Policies, Web Filter policies, SSL Remote access VPN. Supports only the primary group : Hotspot, WAF, IPsec Remote access 
 
 Also, does anybody know when background-membership is synced to Sophos XG, when the AD group was modified? Is it instant or in hardcoded intervals? 
 I could't find proper documenation regarding my questions. Support couldn't help me either. 
 I would be grateful if you guys could lend me a hand here. 
 Thanks in Advance!

LuCar Toni · Accepted Answer

Users will be sync each login process. So if you login to your user portal or to your single sign on solution, XG will fetch the current groups and match them. It will not be reflected. 
 Backend groups mean, all groups in your AD will be matched. If it only supports the primary group, it will only work for the group, shown in XG. (Likely the first matching group in XG). 
 OTP can be enabled on the firewall itself and can be used before the firewall will proceed with the Authentication request. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/OneTimePassword.html 
 It can also be implemented as a Radius external service, but thats more a advanced settings. 
 
 You can limit OTP on the firewall to certain groups or users. It will be reflected on the primary group only. 
 You can also limit the OTP request to certain authentication methods only on the same screen.

OTP with Active Directory Groups and Backend Memebership

Top Replies