Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 579 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2FA with AD-Groups

LHerzog

Hi,

we have turned on 2FA for all our users for VPN and userportal.

Currently each user has been added individually to "Multi-factor authentication (MFA) settings".

By doing this we were most flexible. So far so good.

Now we want to switch that from individual users to groups.

The groups are synced from AD.

This is all working.

But there is one disadvantage in using groups:

If you need to temporarily disable 2FA for one user for whatever reason you would remove the user from it's AD Group.

But because XG only checks group membership when a user logs in, you get the wrong result at the next login: the user must log in with 2FA once so the firewall can update it's group membership. That is impossible if the user forgot the OTP generator - and that would be the reason why you want to remove the user from the 2FA AD-group.

Same when adding the user back to the 2FA AD-Group. The user needs to login without 2FA first and only then the second login after may contain a OTP.

Is there something we can do to reflect the AD Group changes immediately?



This thread was automatically locked due to age.
  • 0

    Hello ,

    Thank you for reaching out to the community, I think you can toggle off the issued token for that user from the authentication > MFA > issued token !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    yes, but if you disable it, the user cannot login at all.

  • 0 in reply to LHerzog

    Then I guess in the immediate changes, we can change the user's group or move it manually to another group which is not a part of the MFA enablement !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    If the user is in multiple AD groups, you can only remove the user manually from the first group in SFOS.

    when clicking the user and look at "Other group memberships" it shows the 2FA group from AD when the user has been removed in AD from the group and the group on XG is empty, because it is an  "Other group membership".

    If I check this group in XG, it is empty.

    Also I have noticed, SFOS does not recognize if the user is a Firewall Admin and is in the 2FA AD-Group. So he can actually only login with 2FA as Admin.

    Anyway Webadmin brings you a warning that you have Admin users without 2FA. It just seems to compare the list of admins with the list of users assigned to MFA. When the user is in a group, SFOS is not able to detect that.

Unfiltered HTML