SSL VPN with and without radius/mfa

Hello Louis D ,

Thank you for reaching out to the community, You can use an option "Specific users and groups" under MFA and add the admins users for MFA:

Refer the RR - Profile Management for Device Access in Sophos Firewall

And another RR - How to configure Multi-factor authentication and understanding the OTP timestep settings

And enable the options for the following required services i.e. userportal, web-admin login, SSL remote access VPN & IPsec remote access VPN

And for SSL VPN authentication ,ensure the server authentication is selected:
settings can be found under Authentications > Services > SSL VPN Authentication 

The MFA is not managed by sophos firewall, but by  MS radius server with NPS (Azure AD extension), i will modify my first post.

Hey Louis D  the following RR can help -  Sophos Firewall: Using Azure MFA for SSL VPN and User portal

Hey Louis D  the following RR can help -  Sophos Firewall: Using Azure MFA for SSL VPN and User portal

hello, i already used this tutorial to configure mfa with ms radius/Azure AD and SSL sophos vpn.

let me show you.

For the vpn firewall rules, i have 2 AD groups (radius with mfa and AD without mfa). My account is in the MFA group and not in AD Group.

When i log in the vpn client, sophos firewall tries to validate 1st in local, then radius, get no answer (timeout) from the radius because i don't validate the mfa then tries AD servers, and validate the authentication.

i need both Radius and AD Authentication servers, admins with mfa and users without.

the situation is little bit different from the tutorial.

thanks.