Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 3 answers
  • Subscribers 31 subscribers
  • Views 37261 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

multi-factor authentication

ClerpremSpa

Hello, how do I implement multi-factor authentication for the XG firewall. At least a smart-card or certificate based logon?

I find that access to the administrative interface of the appliance with only a username and password is not a correct security  policy.

This is also true for users accessing the portal from the public Internet. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    If you are trying to implement two-factor authentication where a User should go through two level of authentication processes, then I suggest you implement Radius server which supports two factor and configure it in XG.

    Thanks

  • 0 in reply to sachingurung

    Does it work with certifcate or smartcard auth?

  • 0 in reply to ClerpremSpa

    Hi,


    You need a 3rd-party solution that will handle the 2FA for you, most of these solutions rely on Radius as Sachin already mentioned.

    On Cyberoam I used Swivel Secure to handle the 2FA. Haven't worked with Swivel on SF_OS / XG, but I suppose it will work.

    Cheers

    Danny Oosterveer

    Cyberoam CCT | Sophos XG Architect

  • 0 in reply to DannyOosterveer

    Hi,

    I try to configure multifactor authentication for VPN connections with the MFA server from Microsoft Azure.
    https://azure.microsoft.com/fr-fr/documentation/articles/multi-factor-authentication-advanced-vpn-configurations/

    So I defined this server as a radius at the XG Sophos, but when I test the connection it fails after a few seconds ,while I am receiving the phone call to confirm authentication. I think it would be enough to be granted more time to the process for it to succeed. (If I specify a wrong login or password it's immediately refused, which makes me think it works except that there is not enough time for the whole process)

    Do you know if it is possible to increase the timeout of the response of the radius server? Do you have other ways to make this work?

    Thank you

    Yves

  • 0 in reply to yvesGourle

    Hi Yves,

    I'm not sure if this is a setting on the Radius Server, It should be somewhere in the IAS policy on the MS side.

  • 0 in reply to DannyOosterveer

    Hi Danny,

     

    I missed your answer, sorry.

    With exactly the same configuration MS side, but just replacing the Sophos by a Watchguard and it works fine...

     

    Regardes,

  • 0 in reply to DannyOosterveer

    I know this thread is a bit old, but I am trying to set up MFA using the XG and MS Azure MFA. The setup works except, the XG appears to be hard coded to time out the Radius Auth after about 6 or 7 seconds. Because of this, almost all authentications time out during the time it takes the radius server to do the phone call/app auth process. 

    There needs to be a time out setting on the XG such at 15 or 20 seconds to allow sufficient time for the radius server verify the end user via cell phone. The hard coded 5 to 7 seconds is only good for a straight single factor radius authentication. 

    Therefore, unless you can complete your 2nd factor auth in under 5 to 7 seconds which is nearly impossible, you cannot successfully set up MFA on the XG.

     

    THIS NEEDS TO BE ADDRESSED!!!!

  • 0 in reply to harrisonpensa

    Sorry for bringing back old thread again, but it does not necessarily appear to be a timeout.  One issue I am seeing is that multiple authentication attempts are being performed on the WAF and they begin to fail when they stack up.  I believe the radius timeout may be hardcoded at 30 seconds, according to what I have heard and read elsewhere on the forum.

Reply
  • 0 in reply to harrisonpensa

    Sorry for bringing back old thread again, but it does not necessarily appear to be a timeout.  One issue I am seeing is that multiple authentication attempts are being performed on the WAF and they begin to fail when they stack up.  I believe the radius timeout may be hardcoded at 30 seconds, according to what I have heard and read elsewhere on the forum.

Children