Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 1694 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DUO Authentication Help

Kyle Hesser

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa 

Using this information, I followed the setup for DUO authentication for XG AD Server, DUO LDAP client and server, and it works.

But, it seems the user setup on the XG authentication server is authenticating into DUO too. Everyone states this should be skipped, and the only authentication should be the user that is trying to authenticate, via DUO, into the user portal or SSL VPN. Here is my current setup for DUO and the XG: 

When signing in, I get the DUO push, but it automatically authenticates after 5 seconds without having to accept the login (I know there is a 5 second limit when trying to sign in, but I was expecting the login to fail). I can see in our DUO authentication log that the user, sophos, is authenticating into our DUO system, and since we allow for users who aren't enrolled in DUO to bypass the 2FA, it authenticates no matter what. It makes sense why it would authenticate without the signing in user accepting or denying it.

Any ideas on what needs to change? 



This thread was automatically locked due to age.
Parents
  • 0

    is the duo-ldap-authentication the only one selected within "Authentication" for "Portal" or "SSL-VPN"?

    10.10.24.30 is your DUO-Server?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    No, there are other authenticating servers. But, I put the DUO authentication server at the highest. Does the authentication fall down the different authentication servers? The fact that I see the Sophos account authenticating on the DUO dashboard leads me to believe it isn't hitting any other authentication server. 

    Yes, 10.10.24.30 is where the DUO Proxy is installed

  • +1 in reply to Kyle Hesser

    Maybe the 5 seconds are the LDAP-Auth timeout (because LDAP normally has no multi-sec delay)

    After the first timeout, XG use the second auth ... until one say OK.

    You should allow only one auth-server, otherwise 2FA is without effect.

    But i think LDAP is not the best for 2FA ... take a look to RADIUS. Here you can configure a timeout greater 5 sec.

    Compare: https://community.sophos.com/sophos-xg-firewall/f/discussions/124513/adjustable-timeout-for-active-directory-authentication


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I can get the radius functionality to work fine, but this is not an optimal configuration. This is because the radius authentication does not support the group functionality. Our SSL VPN is provided to users via a AD group. 

    This means, once the user authenticates to the user portal, it will create a new user with no group attached to it (we cannot have the default group for users being the VPN access group). Then we will have to attach the group to their SSL VPN access, and then the user will have to sign out of the portal and resign back in to download the VPN configuration file. This is not ideal. 

  • 0 in reply to Kyle Hesser

    My problem too.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • +1 in reply to dirkkotte

    You were correct when it came to the authentication servers. The DUO proxy server can be the only form of authentication that is accessible for the user when signing in. DUO was failing, but then it was going to the next form of authentication that works. 

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?