Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory

BeEf

Hello,

just looked into the authentication

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationConfigureActiveDirectory.html

This looks much less intuitive than on the Sophos SG and have a bunch of questions:

1) How often is the group menbership of the imported AD groups updated?

2) What are the exact differences between 

Firewall authentication methods
- User portal authentication methods

3) If you are configuring RADIUS and AD for one of the authentication method - which one should be used for what? How does the firewall match these two users (for me it looks like both "know" each other.

4) Groups can only be used with AD logins?

5) On which objects/functionalities synchronized/imported AD groups can be used?

6) In which sense is a firewall group different from a synchronized/imported AD group?

7) If using 2FA and OTP - does this only work with RADIUS authentication or also with AD authentication? 

8) Are the scope of 2FA and OTP (only?) the sections 

-VPN (IPsec/L2TP/PPTP) authentication methods
-Administrator authentication methods
-SSL VPN authentication methods

Regeards,
BeEf



This thread was automatically locked due to age.
Parents
  • 0

    1. As you do not have a "Get my AD Users to my Firewall" Process, the answer is "Everytime you log in to the firewall". This will get the user created/updated. You login to the user portal -> it reflects all changes to the firewall backend. The user uses sslvpn, it sync the AD backend.

    2. Firewall authentication is everything like STAS, Synchronized User ID, Webadmin. User Portal is just the user portal.

    3. A user will matched, if they have the same UPN. A UPN is basically a SAMAccountname + domain (Basically a Email address). You can configure a Domain within radius and SFOS will match the radius username to the domain. So to speak, if you have a username like luca and you have @sophos.com in Radius, the firewall will match this user to luca@sophos.com  

    4. Groups can be used for nearly everything. 

    5. See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125654/backend-group-membership-in-xg-firewall

    6. If you sync a AD group, it is simply a process to streamline the creation process. You can also simply create the group on the firewall without the need to import them. 

    7. OTP works with both protocols, as far as i know. But commonly known you use time based OTP for AD and if you have a radius, you import something like Azure MFA or DUO, which gives you a radius server.

    8. Yes, thats the OTP supported modules. 

Reply
  • 0

    1. As you do not have a "Get my AD Users to my Firewall" Process, the answer is "Everytime you log in to the firewall". This will get the user created/updated. You login to the user portal -> it reflects all changes to the firewall backend. The user uses sslvpn, it sync the AD backend.

    2. Firewall authentication is everything like STAS, Synchronized User ID, Webadmin. User Portal is just the user portal.

    3. A user will matched, if they have the same UPN. A UPN is basically a SAMAccountname + domain (Basically a Email address). You can configure a Domain within radius and SFOS will match the radius username to the domain. So to speak, if you have a username like luca and you have @sophos.com in Radius, the firewall will match this user to luca@sophos.com  

    4. Groups can be used for nearly everything. 

    5. See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125654/backend-group-membership-in-xg-firewall

    6. If you sync a AD group, it is simply a process to streamline the creation process. You can also simply create the group on the firewall without the need to import them. 

    7. OTP works with both protocols, as far as i know. But commonly known you use time based OTP for AD and if you have a radius, you import something like Azure MFA or DUO, which gives you a radius server.

    8. Yes, thats the OTP supported modules. 

Children
No Data