Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 18332 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Authentication Agent causes user's group to reset to "Open Group" on login.

TroyCarpenter

I have a number of users divided into different groups with different access and time limitations.  I've found that whenever a user logs in using CAA on Windows, their group changes back to the "Open Group".

All the users in question are authenticated via LDAP and the Open group is the default group.  However, that seems like it should only apply to their first login.  After their account is created in XG, the assigned group should stay and not be reset during an authentication action.



This thread was automatically locked due to age.
  • 0

    Hi Troy,

    Thanks for the update, provide us sometime to provide you an update.

    Thanks

  • 0 in reply to sachingurung

    Thanks.  Although I haven't verified, I'm guessing any type of authentication method will cause this, because my suspicion is that it is happening as a result of the LDAP lookup on the backend, which is causing the group to be reset back to what is listed in the LDAP configuration screen. 

  • +1

    Hi Troy ,

    When you configure the LDAP server on XG with successful test, connection  You would need to import the Groups first as indicated on the left of your LDAP server list.  Refer article https://community.sophos.com/kb/en-us/123158 for your reference.

    After the Groups are being Imported , The Open Group would be at the top most position . We would need you to reorder the Group and Assign the Open Group at the bottom of the imported Groups  . 

    This should resolve your issue.

    Thanks and Regards

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    Thanks.  Following the KB article, I didn't get the import option with my LDAP server.   However, after doing some thinking of what the KB article was talking about, I did come across the answer.

    It turns out the default lookup field for the group is "gid", but my user records on the server didn't have that attribute (nor did the schema for my users include it).  Instead I re-purposed another field that wasn't being used (employeeType).  Once I changed the LDAP entry in XG to use that for the group, and put the name of the group I wanted into that attribute in the user record, the next time the user authenticated by any method, their group changed as expected.

  • 0 in reply to Aditya Patel

    Hi Aditya,

    Even after reordering the groups as suggested in your post, user's are getting reset to (in my case default user group) --Domain Users. In AD I have created a separate group/OU for Managers and separate group for Users. I suspect that CCA is causing the reset of managers to domain users.

    I have imported group successfully on XG referring https://community.sophos.com/kb/en-us/123158 . Please suggest a permanent solution to stop users under manager's  group to auto escape in  --Domain Users group (which is default under Auth Services in XG).

    Thanks,

    Kumar

  • 0

    I am also facing the same issue in SOPHO XG 210 Firewall. I have replaced the Cyberoam 50ING Firewall and installed SOPHO XG210 in H.A(Active/Active) Mode.

    I am using LDAP authentication in Cyberoam also. It's working fine. But in Sopho XG 210 model facing an issue. 

    I have set Default Group "Silver" while first time LDAP users are login into Sophos firewall via the Captive portal then I will change the Group according to the user's Department. Like: HR, Account. But the user's logout from the captive portal and re-login then again it follows into the "Silver" group. which is wrong. 

    This feature is properly working in Cyberoam 50ING. So, I think Sopho needs to look at this feature and if it's not available then Sophos needs to plan to implement the same.

    New Users are very disappointed due to this.