Hi all,
I just set up a virtual XG appliance and pretty much everything is working fine, except for one issue.
I needed to use Duo proxy as 2FA solution, which is (temporarily) running on the Domain Controller on the LAN (configured as AD client + RADIUS server). Also, I wanted Duo 2FA not to be required for some other logins (user portal, captive portal), so I set up an AD server in Sophos as primary authentication method. I prevented duplicate user creation in Sophos by setting the "Domain name" in the RADIUS server configuration to the AD domain. By doing so, both methods use the userPrincipalName. Users permitted to use the SSLVPN have an according AD group membership.
The flow with the issue is as follows:
-
User logs in for first time at user portal with AD credentials, user is created in Sophos with the correct group (VPN group if it was set so in AD, default group otherwise).
-
The user then downloads his VPN profile and logs in using the Sophos Connect client (needs to confirm Duo push notification)
-
The login fails even with correct credentials and confirming the 2FA push, because in the background, the users' group in Sophos was set to the default group (which has no SSLVPN access) after the RADIUS server auth was used.
Apparently, the RADIUS auth always overwrites the previously correctly set group in Sophos with the default group. The previous group gets set as secondary group. SSLVPN no longer works because Sophos uses the primary group settings.
Also, I can't change back the primary group manually after that. And even if I could, it would be replaced by RADIUS again before a successful VPN connection could be made.
I can use the current setup without any issues by setting the default group to the VPN group. But of course, I like things to work properly. This is not optimal. It's basic access control and works fine with any other firewall I tried. I will most likely switch out Sophos XG if I can't find a practicable solution to this.
Any tips are welcome. I have no further ideas to get this working with Sophos XG and the requirements mentioned above. Also, I could not find any existing discussion with this exact issue. Thanks!
This thread was automatically locked due to age.
