Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 8007 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Users only able to login to portal if ID/member is manually added

tal yoffe

I have setup AD authentication on Sophos XG. Tested the connection and it is successful. However users can only login if I add them into Identity/Policy Members. 

 

Shouldn't they be able to authenticate using AD credentials



This thread was automatically locked due to age.
  • 0

    hi,

     

    I think you need to setup AD SSO for your requirement, https://community.sophos.com/kb/en-us/123159

     

    kindly let us know how it goes.

     

     

    Regards,

  • 0

    HI tal, 

    Could you check if you have added the authentication server on your XG and also set the Method to AD server instead of local. You may use both, however, the priority is set from top to bottom position.

  • 0

    Hello,

    I can weigh in with my experience.

    1. Adding an Authentication Server (Configure -> Authentication -> Servers) is the first step. This allows the Sophos to "see" into Active Directory, but does not have a means to see users successfully logging into AD (say from a workstation)

    2. You need to decide how they will authenticate with a single-sign on method. There are two:

    • The first is as the previous poster indicated, which is using the SSO Client. This is an app that you install on every workstation / laptop / node you would like the authenticate using Active Directory. Once it's installed, it runs in the Task Tray. In order to access web resources they must type in their AD credentials one time (there is a check box to save the credentials going forward). I actually have limited experience with this (I used the method below), but it creates a real-time connection between the workstation and Sophos unit. It seems to me more reliable than below.
    • The second SSO method you can use is called STAS. It is a Sophos application (agent) that is installed on an Active Directory controller (or multiple), that when configured will relay security Event Log information from the AD controller to the Sophos device, and basically channel that info between the XG device and AD. While I use it, I find it unreliable and plan to start using the SSO client. Here is a link with instructions for setting up SSO using STAS. https://community.sophos.com/kb/en-us/123156

    I hope this helps. I'm in no-way an expert, but have installed at least 15 devices with some level of AD integration - which is great, especially when then adding say SSL-VPN access. Users can then simply use their AD credentials (and when passwords update via AD, it is transparent via VPN access)

     

    Many thanks,

     

     

    Chris