Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 8398 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authentication and AD group issues in XG-210 Firewall

Vineeth AT

Friends,

     I am having a XG-210 UTM appliance and we now have two issues.

     1. AD groups are not automatically updating in the firewall. I have imported the AD groups to firewall and the groups sync well also. We are noticing that the user's group memberships are automatically changing without our update in AD or in firewall. The restarting of authentication service in Firewall is also causing one of our marking user to get removed from his Sophos group.

     2. We noticed some of the users are removed automatically from their groups in Firewall (No change in AD groups). In our scenario we are restricting the user logins to single machines in AD level. We tried authenticating through captive portal, but it is only working for those users who have login permitted in all workstations (the login restricted users are getting a message "Login failed: you are not permitted by AD server to login this workstation"). This is same for both new and old users in the domain.

     Anyone please suggest me some solution as we are in a GO-Live plan of migrating our old firewall to Sophos.



Edited Tags
[edited by: Erick Jan at 12:40 AM (GMT -7) on 16 Sep 2022]
Parents
  • 0

    Vineeth,

    can you check the access_server.log and the csc.log inside the /var/tslog from XG command line (option 5 > 3)?

    The other option is to open a ticket with Support.

    Thanks

  • 0 in reply to lferrara

    We have created  a new ticket with Sophos support, but we are not getting any timely response from the support team.

    As we tested the sync from AD is working but Sophos update these sync in a different way, don't know why this is happening we have tried changing the group reorder and by changing the default group found no use.

  • 0 in reply to Vineeth AT

    Not sure if this helps, but we got this working by creating new groups for the filter actions we wanted.  The key was to make sure members were only in one of these groups at a time (hence why we created specific filter groups).  So for example, we had three classifications:  Executives, Management, Everyone Else.

    Executive and Management got placed into respective new AD groups while everyone else we let fall into the DefaultGroup.

    These groups were then synced to the firewall and order adjusted.  That has been working without issue for awhile.  stas/satc, well that's a whole other story!

     

Reply
  • 0 in reply to Vineeth AT

    Not sure if this helps, but we got this working by creating new groups for the filter actions we wanted.  The key was to make sure members were only in one of these groups at a time (hence why we created specific filter groups).  So for example, we had three classifications:  Executives, Management, Everyone Else.

    Executive and Management got placed into respective new AD groups while everyone else we let fall into the DefaultGroup.

    These groups were then synced to the firewall and order adjusted.  That has been working without issue for awhile.  stas/satc, well that's a whole other story!

     

Children
No Data