Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 828 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG - Prevent RADIUS auth from overwriting existing user with default group

Felix Entrop

Hi all,

I just set up a virtual XG appliance and pretty much everything is working fine, except for one issue.

I needed to use Duo proxy as 2FA solution, which is (temporarily) running on the Domain Controller on the LAN (configured as AD client + RADIUS server). Also, I wanted Duo 2FA not to be required for some other logins (user portal, captive portal), so I set up an AD server in Sophos as primary authentication method. I prevented duplicate user creation in Sophos by setting the "Domain name" in the RADIUS server configuration to the AD domain. By doing so, both methods use the userPrincipalName. Users permitted to use the SSLVPN have an according AD group membership.

The flow with the issue is as follows:

  1. User logs in for first time at user portal with AD credentials, user is created in Sophos with the correct group (VPN group if it was set so in AD, default group otherwise).

  2. The user then downloads his VPN profile and logs in using the Sophos Connect client (needs to confirm Duo push notification)

  3. The login fails even with correct credentials and confirming the 2FA push, because in the background, the users' group in Sophos was set to the default group (which has no SSLVPN access) after the RADIUS server auth was used.

Apparently, the RADIUS auth always overwrites the previously correctly set group in Sophos with the default group. The previous group gets set as secondary group. SSLVPN no longer works because Sophos uses the primary group settings.

Also, I can't change back the primary group manually after that. And even if I could, it would be replaced by RADIUS again before a successful VPN connection could be made.

I can use the current setup without any issues by setting the default group to the VPN group. But of course, I like things to work properly. This is not optimal. It's basic access control and works fine with any other firewall I tried. I will most likely switch out Sophos XG if I can't find a practicable solution to this.

Any tips are welcome. I have no further ideas to get this working with Sophos XG and the requirements mentioned above. Also, I could not find any existing discussion with this exact issue. Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    SSLVPN should use all groups. Did you configure the Domain in Radius? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, the domain is configured for the RADIUS server and I assume it is working, since no duplicate users are created. I am not sure, however, what you mean by "SSLVPN should use all groups".

  • 0 in reply to Felix Entrop

    Please make sure user have similar group on RADIUS as well.

  • 0 in reply to Felix Entrop

    Does you radius Server offer any kind of Groups? 
    SFOS will overwrite all information by the latest authentication request. If this request is a Radius Request, it will overwrite it by the Information coming from Radius. You can see the groups and the backend groups within SFOS: 

    it is "other group memberships". 
    Also check in Services, you have Radius selected for SSLVPN. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Okay thanks, that confirms the behavior I have described in the OP. I mistakenly wrote "secondary" / "primary" group though.

    Duo offers some kind of group feature. Just not sure if this will actually send the group as RADIUS attribute (or however this is actually called). I will check now and report back, thx for the hint.

    (I have seen another discussion on this forum with a similar issue, but with Okta as 2FA provider instead of Duo - seems they could fix it with group assignments in Okta)

Reply
  • 0 in reply to LuCar Toni

    Okay thanks, that confirms the behavior I have described in the OP. I mistakenly wrote "secondary" / "primary" group though.

    Duo offers some kind of group feature. Just not sure if this will actually send the group as RADIUS attribute (or however this is actually called). I will check now and report back, thx for the hint.

    (I have seen another discussion on this forum with a similar issue, but with Okta as 2FA provider instead of Duo - seems they could fix it with group assignments in Okta)

Children
  • 0 in reply to Felix Entrop

    Okay, little update:

    It seems possible to achieve this configuration by using Duo Proxy in RADIUS client + RADIUS server mode. Only this way, RADIUS attributes can be passed to clients.

    So now I'm just having issues setting up the NPS RADIUS server, but I guess it will work once that's done.

Unfiltered HTML