Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 6398 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - Home Use - Single Sign On authentication using RADIUS credentials from WiFi

mattb75

This question appears to have been asked several times over the past few years, but I can't find a definitive answer yet - apologies if it has been answered and I just need a link!

 

I'm trying to setup a network whereby we can bring our own mobile devices / laptops, but using our work AD credentials we can sign into a dedicated employee wifi network (WPA2 Enterprise) and it uses the same credentials on the WiFi to automatically authenticate the device through the firewall.  Effectively once you've connected to the WiFi initially, you never need to enter another security challenge.

I've searched for how to do this using my equipment and Sophos XG so I can get better visibility of connected devices and apply more appropriate web filtering based on the user, rather than a blanket policy for all.  I can do this to a certain degree by assigning static IP's to each device and using clientless authentication, but means each device has to be added manually, and until they are I have no visibility of who's device has connected.

My setup currently comprises of

- Sophos XG 17

- A wireless network using WPA2 Enterprise security - authenticating against a RADIUS windows server 2012 R2 (Hardware is TP-Link EAP110 - managed by Wireless Controller software EAP Controller running on it's own server)

- Wireless devices (e.g. Mobile Phones) can connect using their work AD credentials

- When I've installed the STAS onto the Domain Controller it doesn't pick up any active users as the RADIUS authentication event logs aren't against the right event ID (the STAS only appears to detect workstation login / logoff security events)

- When I try to forward accounting information from the RADIUS server to the Sophos XG firewall it gives me the option of loading into a SQL database (which it cannot find), or a log file which requires a folder path the Sophos XG does not have.

 

Any ideas?

 

Cheers

Matt

 



This thread was automatically locked due to age.
  • 0

    Matt,

     

    Apologies for the scatter-brained response but maybe some of the following will help you. This is exactly how we'd like our environment and we've been trying to get it that way for over a year now to no avail. Last tested on XG v16 MR-7

    • AD server (same server as RADIUS server) was added as authentication server in XG using FQDN for the "Domain Name" parameter (corp.fqdn.com)
    • Username parsing was failing due to double blackslash issue. It looked like XG was trying to escape our RADIUS username string (CORP\username into CORP\\username) which prevented XG from automatically adding new users who authenticated and prevented matching existing users
    • Machine users being added to XG user database (host/computer-name.corp.ourdomain.com) - Minor annoyance
    • No normalization of username string (XG would treat CORP\username, CORP.FQDN.COM\username, username, username@corp, and username@corp.fqdn.com as different users. Again the double backslash issue would apply to users in the CORP\username format)
    • We had to disable STAS completely due to too many issues with breaking connectivity (we had previously mitigated this by lowering the unauth-traffic drop-period to something like 20 seconds but it was still causing issues when users would authenticate to multiple devices or more than one user would login to a workstation at the same time)

     

    RADIUS server was Windows Server 2012 R2. Wifi APs were Unifi AP-AC-PRO. We've had ongoing discussions about who owns responsibility for the above. Our RADIUS config? Sophos? Unifi?

     

    I can provide clarification on any of the above if it will help you or Sophos get closer to fixing SSO once and for all.

  • 0 in reply to DrewHammond

    Hi Drew

     

    Thanks for the note, it sounds like you've had a thorough test of the software with some better AP's and still hit the same issues as I am!

     

    I think my issue is that the Microsoft RADIUS server isn't capturing the allocated IP address of the WiFi connecting devices as part of accounting (presumably because my AP's or their Controller don't appear to support Accounting, only Authentication requests) and therefore it can't pass it across to the Sophos XG to integrate with it.

     

    I've contemplated getting some new AP's but not sure which one's will support out of the box aside from high end enterprise devices, and as I'm running this at home I don't particularly want to stretch to Cisco / Aruba levels of cost (although it may improve my WiFi coverage as well!!)

     

    In case I've missed anything obvious this is my current setup

     

    • Billion Router on standard fibre broadband (192.168.37.1)
    • Sophos XG 17.0.3 MR-3 (running as a VM on ESXi)
      • DMZ passthrough from Billon Router to WAN port (192.168.37.1)
      • LAN port of Sophos 192.168.1.254
    • AD Server (192.168.1.11)
      • Running Windows 2012 R2
      • AD Server is added as an authentication in Sophos XG using FQDN as the Domain Name parameter.  Only mandatory fields in Sophos XG completed (Display Name Attribute and Email Address Attribute fields left empty)
    • RADIUS installed as a service on AD Server (192.168.1.11)
      • Two AP clients and the Sophos XG firewall added as Clients
      • Sophos XG also added as Remote RADIUS server
      • RADIUS is also added as an authentication in Sophos XG - test connectivity works without issue
      • SSO using RADIUS accounting request is enabled in Configure > Authentication > Services for the 2 AP's and the RADIUS service on 192.168.1.11
    • Two TP-Link EAP110 Access Points (192.168.1.7 & 192.168.1.9) managed by EAP Wireless Controller software on Server
      • Broadcasting WPA2 Enterprise SSID
      • RADIUS service on AD server configured to authenticate
        • Clients can connect to this WiFi using their AD credentials without issue
        • When using RADIUS service on Sophos XG to authenticate against it will not connect
    • STAS installed on AD server (192.168.1.11)
      • Detects join events from windows domain joined PC's without issue
        • Passthrough credentials are always in format username@fqdn regardless of how user logged into the PC (e.g. NETBIOS\username or username@fqdn)
        • Doesn't look for Event ID's 6272 or 6278 in Event Log so will not detect RADIUS authentications (however will not have the IP address of the connecting device anyway)

     

    Looks like Cyberoam had SSO in place before Sophos bought them out, but we may have to wait a bit longer for a seamless user experience!