Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 845 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall adds User to Group without AD interaction

Mirco Odau

Hello everyone,

i have a hard time on a problem which seems to appear after the last update (maybe not realted) to SFOS 18.0.5 Build 586)

My VPN Setup via ad groups stopped working (or is working more than it should)

normal configuration:

1. Add user to AD Group "VPN"

2. User downloads + installs Client with config from self service Portal

3. be happy

now it behaves like this:

1. User can login to self service portal and download Client (without being in the ad group)

2. VPN connections can be established

3. The XG adds the user to the group "VPN" in the XG while there is still no change to the ad group

did anyone experience a similar issue? I double checked configurations with another working XG which do not got the problem.

Kind Regards



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    As you mentioned the user must be getting authenticated from AD via firewall. If so, then the user must be a part of the VPN group on AD already that is the reason they are getting added to the VPN group on the firewall based on the authentication replies we get from the AD server. 

Reply
  • FormerMember
    0 FormerMember

    As you mentioned the user must be getting authenticated from AD via firewall. If so, then the user must be a part of the VPN group on AD already that is the reason they are getting added to the VPN group on the firewall based on the authentication replies we get from the AD server. 

Children
  • 0 in reply to FormerMember

    Hi Kishan,

    problem is: they are not in the ad group. i can create a new user in the domain without any groups and i can use it to log in into the firewall and download vpn packages. 

    The XG shows that new account in the vpn group. If i take a look into ad it is still not there

  • 0 in reply to Mirco Odau

    Hi  : What is the default group set on XG? Is it set to "VPN group" or any other group? If yes for "VPN group" then if for any user over XG if no matching group found on XG , the user will become part of the Default group 

    I believe the above could be the possible reason for your scenario. 



    If the user has no VPN settings then the policy defines on the group will be applied to users.

  • 0 in reply to Vishal_R

    Hi Vishal_R ,

    Default Group is set to VPN:

    and VPN Setting:

    Also authentication is set to Local AND the DC

    So if a user logs into the firewall with AD credentials and is NOT member of the ad group VPN he will be added to the Sophos Group VPN (which is the local ad group) because it is set as default group?

    Kind regards
    Mirco

  • +1 in reply to Mirco Odau

    Hi  : Yes correct as the default group is "VPN - User"  whenever the user login the first time with any method it will become part of that group and the policy applied to that group will be applicable to the user. 

    So you may change the default group to any other group where you have not applied any VPN policy then the user will be part of that default group and VPN policy will not be applied. 

  • 0 in reply to Vishal_R

    Okay Thank you very much!