Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 15146 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD integration with xg firewall

nisar ahmed

Dear all,

I have installed stas and integrated AD with xg310.

Then i did import all the users from AD into Xg-310.

And created a firewall rule to access internet from lan to wan and enabled "match known users" & "Captive portal to unknown users".

However whenever my AD users login to domain account and browse for internet, its is redirected to captive portal.

And asks to enter username and password then only he can browse the internet.

 

I would like to ask if my configuration is correct. Because i thought once the users are authenticated using AD(SSO) he should be able to browse internet directly.

However this is not true in above configuration. I am missing something in the configuration.

 

Thanking you all in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Nisar...

    How many Domain Controllers do you have on site with the XG?

  • 0 in reply to Tam Ben-Jusu

    Hey, 

     

    you can use the Windows logon to authetificate the USers. 

     

    have a look at: 

    https://community.sophos.com/kb/en-us/123156

     

  • 0 in reply to mario Andrick

    Aside from STAS, if it is just for web browsing you could use NTLM authentication, which will fall back to captive portal if it fails.

    STAS authenticates your computer regardless of traffic.

    NTLM is a web traffic authentication method, though after authentication the user is applied to all traffic types from that IP.

     

    Under Authentication, Services, make sure that the Firewall Authentication Methods includes your server.

    Under Administration, Device Access, turn on NTLM for the zones you want to enable.

  • 0 in reply to Michael Dunn

    This brings me to a Question I just had in my Lab. If I configure AD SSO using NTLM,  my Users on my XG Firewall (Which are Synchronized from ActiveDirectory) are looking like the following: benutzername.

    Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

    Is there any workarround known for this? In UTM's world we had to join Firewall to the Active Directory, so it knows that this user belongs to it's domain. In XG we do not have the possibility to join the Firewall with AD if I'm right?

Reply
  • 0 in reply to Michael Dunn

    This brings me to a Question I just had in my Lab. If I configure AD SSO using NTLM,  my Users on my XG Firewall (Which are Synchronized from ActiveDirectory) are looking like the following: benutzername.

    Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

    Is there any workarround known for this? In UTM's world we had to join Firewall to the Active Directory, so it knows that this user belongs to it's domain. In XG we do not have the possibility to join the Firewall with AD if I'm right?

Children