Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 26 subscribers
  • Views 10151 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forms Authentication Policy Not Working with WAF for people in multiple groups? Bug?

AllanD

I was having trouble getting a Authentication Policy to work with the form based login.  I published a web server using Web Server Protection (WAF), pretty basic.  Redirect HTTP to HTTPS and selected my SSL cert and domain name.  I selected the web server, which is also HTTPS.  For Protection and Intrusion Prevention, during testing, I left both blank.

I tested access and as expected I can connect to the internal server just fine without any authentication.  But this server needs to have a login from the outside world.  So under Web Server -> Authentication Policies I make a basic policy called "Forms without passthrough" to simply give the users a login box without forwarding even basic authentication.  In essence using the Sophos as a gate keeper for this site:

 

 

I assign the policy to the Web Server Protection rule for the server.  I try to access it again and I get the standard Sophos login page.  I login and it refreshes back to the login page.  Try again and same thing.  So I try a test user and that test user worked fine.

 

I then tried to hunt down the difference and the only one is my ID is part of a VPN group and the Open group while the test user is just part of the Open Group.  So I tested with another user in the VPN group - it failed login again.  I tested another user that's only in the open group - it worked.

 

So I went back into the authentication policy and added the VPN group along side the Open group.  Sure enough now it works.

 

Is this a bug in the XG firmware?  Shouldn't it check the group I specifically assigned to the policy, which all users are part of?  It seems it's not doing this and I would think this is a major flaw.  Maybe its checking group membership and stops at the first it finds then compares that group to the allowed ones and is failing without cycling through all groups the user is a member of?  How do we get a engineer to look at this? 

 

-Allan



This thread was automatically locked due to age.
  • 0

    After some searching I'm finding people saying you need to enter the groups in a certain order in AD to make the XG happy.  That's not a solution nor does it always work.  So I put in a support ticket.  Support verified my setup was correct and that it isn't working and now I have to schedule a time for them to see it happen live.  But here is a example:

     

    Group 1 - All users (open group....anyone authenticated)

    Group 2 - User 1, User 2, User 3, and User 4

    Group 3 - User 3 and User 5

     

    If I protect a site using FBA and assign Group 1, the open group, it works fine for any user that's NOT in the other two groups.  Supports initial solution was to just add group 2 and 3 to the FBA.  Fine, that is a workaround that technically "works" but then it doesn't work if you have a site that you want to protect and give only say Group 2 access to.  If User 3 tries to login they get denied even though they are in Group 2 because they are ALSO in group 3.  But I can't add Group 3 because User 5 shouldn't have access.

     

    Awaiting support to view whats happening....

     

    -Allan

  • 0 in reply to AllanD

    Hi Allan,

    Can you please post reverseproxy.log and the case# to look into the case further. 

    Thanks

  • 0 in reply to sachingurung

    Case #7108287.    How would I get the reverseproxy.log out of the XG?  I saw this: https://community.sophos.com/kb/hu-hu/124763 but when I try the command it says "tail: can"t open '/var/log/reverseproxy.log' : No such file or directory".

     

  • 0 in reply to AllanD

    Support sent me a email and told me I needed to do a CD /var/log first but that ended with a directory not found.  I'm getting progressively more worried that support doesn't know where log files are on the XG v16 nor does the knowledge base article.

     

    After hunting around for a while I did a "cd .." then ls and saw there was a log folder.  cd /log then ls showed there was a reverseproxy.log and a reverseproxy.log.0.   I repeated logging in using my phone (external to the network) and doing a tail reverseproxy.log watching for the website in question which took multiple tries as we are using Microsoft Active Sync which is filling the log quickly.  Long story short here is the spinet in question.  My site name has been changed to my.website.com, my external IP to 23.23.23.23 but everything else is directly from the log.  My authentication policy is called "Forms Without Passthrough" as I don't need to pass anything, simply validate login.  The user trying to login is in the "VPN Group" and the "Open Group" but the authentication policy only has the "Open Group" which should work but doesn't.  If I add the VPN group it works but thats not how it should work:

     

    [Tue Mar 21 11:54:22.484675 2017] timestamp="1490111662" srcip="174.23.43.232" localip="23.23.23.23" user="-" host="174.23.43.232" method="GET" statuscode="304" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipF
    ormHardeningMissingToken" duration="15323" url="/_pdluanwmewhziwh_form" server="my.website.com" referer="my.website.com/_pdluanwmewhziwh_form" cookie="_ga=GA1.2.892419336.1488557677" set-cookie="pdluanwmewhziwh_cookie=92e7u
    5CqvbFafOkXKo5DPbllwXVqgl8Ikfvl/MoT6PZvQm3WjG+JGkrQDDtNeD0KP3QLzpq/Dfaxz9pQ/+4fHxn72jiyuMSW1F4VlI9IRr0lQR2pOhBLZycg/gyh3ozW2uVpawwInMoIS94ShnfvBBL7FevKLKAUGDOvxFKLDirRxDcc4aKdgA==;path=/;httponly;secure" recvbytes="772" sentbytes="463" p
    rotocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Android 6.0.1; Mobile; rv:52.0) Gecko/52.0 Firefox/52.0" querystring="" ruleid="25"
    [Tue Mar 21 11:54:22.604135 2017] timestamp="1490111662" srcip="174.23.43.232" localip="23.23.23.23" user="-" host="174.23.43.232" method="GET" statuscode="304" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipF
    ormHardeningMissingToken" duration="15350" url="/Forms Without Passthrough_pdluanwmewhziwh/default_stylesheet.css" server="my.website.com" referer="my.website.com/_pdluanwmewhziwh_form" cookie="_ga=GA1.2.892419336.148855767
    7" set-cookie="pdluanwmewhziwh_cookie=+mtVslIZ0qVeFaKEoMhGKpD/oVSE09/kYB86tR7tDK7/by6vSGN6BD7fqjBnj4/mPPbqiqCHyEtTQ8s2NFxixzW5nwP9QdBUzBJ+Hx8LaUXMhxePsA8mMhwukCYuIIHGHb4hMGn8nY9Df6/0YYVwDSv7FjoJ5ka5FE9LGFYk9Ygt0ZOn9etW9Q==;path=/;httponl
    y;secure" recvbytes="744" sentbytes="463" protocol="HTTP/1.1" ctype="text/css" uagent="Mozilla/5.0 (Android 6.0.1; Mobile; rv:52.0) Gecko/52.0 Firefox/52.0" querystring="" ruleid="25"
    [Tue Mar 21 11:54:22.684289 2017] timestamp="1490111662" srcip="174.23.43.232" localip="23.23.23.23" user="-" host="174.23.43.232" method="GET" statuscode="304" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipF
    ormHardeningMissingToken" duration="14962" url="/Forms Without Passthrough_pdluanwmewhziwh/company_logo.png" server="my.website.com" referer="my.website.com/_pdluanwmewhziwh_form" cookie="_ga=GA1.2.892419336.1488557677" set
    -cookie="pdluanwmewhziwh_cookie=aWmns0Sf1Y89w4jtDbBHTI2B8J0FTOW6erT5WPKIegiCAaOLDJ7bM/uAh97VbTy5rofpfV8JKsflCnrfwhkA+ByW6JJGauMtanjKfmLzyAlaF7bmZR84T9xVLFLhUl5AyON2m3L+nVz67pert2RljsgAbGw6gGS7r+lKXFnXb1Z8H0WyZwWhKQ==;path=/;httponly;secu
    re" recvbytes="723" sentbytes="463" protocol="HTTP/1.1" ctype="image/png" uagent="Mozilla/5.0 (Android 6.0.1; Mobile; rv:52.0) Gecko/52.0 Firefox/52.0" querystring="" ruleid="25"
    [Tue Mar 21 11:54:23.068463 2017] timestamp="1490111663" srcip="174.23.43.232" localip="23.23.23.23" user="-" host="174.23.43.232" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" duration="201" url="/favicon.ico" serve
    r="my.website.com" referer="-" cookie="-" set-cookie="pdluanwmewhziwh_cookie=;Max-Age=0;path=/;httponly;secure" recvbytes="786" sentbytes="728" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Android 6.0.1; Mobile; rv:52.0.
    1) Gecko/52.0.1 Firefox/52.0.1" querystring="" ruleid="-"

     

     I have tried disabling all Protection and Intrusion Protection on the firewall rule and that makes no change.  I can try disabling my other incoming WAF rules and trying again for more log entries but it will have to be after hours as it will kill Exchange services.

     

    And again the login prompt simply refreshes whether the login is valid or not (no error on bad login, no success on good login).  If I add the VPN group to the rule login works correctly but my user is already in the Open group.

     

    -Allan

  • 0 in reply to AllanD

    Called tech support to look things over.  Pretty much got a "working as intended" from them which is NOT how groups should work.  They said the Open Group, even though I have it set to include everyone authenticated, will only contain those authenticated that are not in AD groups that are pulled in.

     

    So my VPN group, which I have 40 people in, overrides the Open Group.  In other words in a company of 200 if 40 are in the VPN group then the Open Group by default contains the other 160.  So in this case I would need to add both groups to the authentication policy. 

     

    I asked what about a scenario where there are multiple users in different group and they said I would have to reorder the AD groups to make sure users fall in a correct order of accessing different things.  However there are some situations where this simply won't work if you are protecting access to multiple different sites with multiple different groups and different users in each.

     

    Long story short groups should, well, work like groups have since they started being used for authentication decades ago.  Not sure why Sophos doesn't work in what I think is a industry standard way.  A user should be able to be validated in multiple groups and we shouldn't have to order things in a exact way to make it work since they only see the user in the first group it hits.  This I consider a very annoying bug.

     

    -Allan

  • 0 in reply to AllanD

    Hi Allan,

    Sorry for the delay, can you confirm me what version resides on the XG? 

    I would like to check in the access_server and reverseproxy log files for the test users.

    I also followed up with the Support Engineer, please provide him the required details and I will monitor the case along with him.

    Thanks

  • 0 in reply to sachingurung

    After the support call this morning the case was "closed" because they said the XG is working as intended, which again makes no sense based on the above.  The XG is latest version, 16.05 MR2.

     

    -Allan

  • 0 in reply to AllanD

    Allan,

    thanks for sharing your experience. The Authentication + Groups is working as you explained and it should be improved/changed during v17 MR. See what AlanT replied to this thread:

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/86384/xg-v17-what-s-coming-next

    I agree with you that this is mandatory on a product that claims to be Enterprise.

    The actual authentication scheme can work on small installation but not on big one.

    Regards

  • 0 in reply to AllanD

    Hi Allan,

    The case is closed after a detailed explanation about the configurations. Users fall into the Default "OpenGroup" when the User does have any group association either on the local database or fetched from the AD. 

    Your configuration for Form authentication looked like: Web Server > Authentication > Users & Group > OpenGroup. 

    A user which falls into a particular group has no association with the OpenGroup as a particular group is explicitly defined for his User definition. Hence, the VPN group users won't be allowed through the XG Web Server until the VPN group is added.

    Groups will be fetched from AD in Top-Down approach. Any user residing inside the group on TOP, will be fetched and synced with that particular group association. Hence, if the User belongs to multiple groups in AD, XG will sync the user inside the Group which is on TOP because of the AD architecture. AD will pass the User information to XG in a TOP-DOWN approach.

    The case was closed after a confirmation and an Email was shooted with the provided information. If you feel the case needs to be Open, please revert back and your queries will be addressed.

    Thanks

  • +1 in reply to sachingurung

    Case does not need to be re-opened, it's closed because this is how the XG currently works.  But this is not an ideal way of this working and will not work for large "enterprise" deployments with multiple users in different multiple groups with access to different resources.  Like said this is fine for a small installation but not for something designed to be a enterprise solution.

     

    So my question is answered because this is how the product currently works, not because my problem is fixed.  Hopefully with v17.....

     

    -Allan