Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 548 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OTP with Active Directory Groups and Backend Memebership

OlvrKl

Hi everyone,

this is my first time here, so be patient with me :)

Sophos Support and our Partner couldn't help me with my questions and pointed me to the Community. I'm certain one might helpt me.

I would like to implement OTP on an XG Firewall (SFOS 18MR5). I don't want to force it on everybody, but rather members of a group synced from AD.

Is that even possible?

Documentation list the following as backend-membership compatible:

Supports all Backend groups: Firewall policies, TLS Policies, Web Filter policies, SSL Remote access VPN.  
Supports only the primary group: Hotspot, WAF, IPsec Remote access

 

Also, does anybody know when background-membership is synced to Sophos XG, when the AD group was modified? Is it instant or in hardcoded intervals?

I could't find proper documenation regarding my questions. Support couldn't help me either.

I would be grateful if you guys could lend me a hand here.

Thanks in Advance!



This thread was automatically locked due to age.
Parents
  • +1

    Users will be sync each login process. So if you login to your user portal or to your single sign on solution, XG will fetch the current groups and match them. It will not be reflected. 

    Backend groups mean, all groups in your AD will be matched. If it only supports the primary group, it will only work for the group, shown in XG. (Likely the first matching group in XG). 

    OTP can be enabled on the firewall itself and can be used before the firewall will proceed with the Authentication request. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/OneTimePassword.html

    It can also be implemented as a Radius external service, but thats more a advanced settings. 

    You can limit OTP on the firewall to certain groups or users. It will be reflected on the primary group only. 

    You can also limit the OTP request to certain authentication methods only on the same screen. 

Reply
  • +1

    Users will be sync each login process. So if you login to your user portal or to your single sign on solution, XG will fetch the current groups and match them. It will not be reflected. 

    Backend groups mean, all groups in your AD will be matched. If it only supports the primary group, it will only work for the group, shown in XG. (Likely the first matching group in XG). 

    OTP can be enabled on the firewall itself and can be used before the firewall will proceed with the Authentication request. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/OneTimePassword.html

    It can also be implemented as a Radius external service, but thats more a advanced settings. 

    You can limit OTP on the firewall to certain groups or users. It will be reflected on the primary group only. 

    You can also limit the OTP request to certain authentication methods only on the same screen. 

Children