This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD integration with xg firewall

Dear all,

I have installed stas and integrated AD with xg310.

Then i did import all the users from AD into Xg-310.

And created a firewall rule to access internet from lan to wan and enabled "match known users" & "Captive portal to unknown users".

However whenever my AD users login to domain account and browse for internet, its is redirected to captive portal.

And asks to enter username and password then only he can browse the internet.

I would like to ask if my configuration is correct. Because i thought once the users are authenticated using AD(SSO) he should be able to browse internet directly.

However this is not true in above configuration. I am missing something in the configuration.

Thanking you all in advance.

This thread was automatically locked due to age.

Parents

0 Tam Ben-Jusu over 7 years ago

Nisar...

How many Domain Controllers do you have on site with the XG?
Cancel
Vote Up 0 Vote Down

Cancel
0 mario Andrick over 7 years ago in reply to Tam Ben-Jusu

Hey,

you can use the Windows logon to authetificate the USers.

have a look at:

https://community.sophos.com/kb/en-us/123156
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 7 years ago in reply to mario Andrick

Aside from STAS, if it is just for web browsing you could use NTLM authentication, which will fall back to captive portal if it fails.

STAS authenticates your computer regardless of traffic.

NTLM is a web traffic authentication method, though after authentication the user is applied to all traffic types from that IP.

Under Authentication, Services, make sure that the Firewall Authentication Methods includes your server.

Under Administration, Device Access, turn on NTLM for the zones you want to enable.
Cancel
Vote Up 0 Vote Down

Cancel
0 HuberChristian over 7 years ago in reply to Michael Dunn

This brings me to a Question I just had in my Lab. If I configure AD SSO using NTLM, my Users on my XG Firewall (Which are Synchronized from ActiveDirectory) are looking like the following: benutzername.

Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

Is there any workarround known for this? In UTM's world we had to join Firewall to the Active Directory, so it knows that this user belongs to it's domain. In XG we do not have the possibility to join the Firewall with AD if I'm right?
Cancel
Vote Up 0 Vote Down

Cancel
0 mario Andrick over 7 years ago in reply to HuberChristian

Hello,

do you have add the AD Server to ... Configure -> Authentication -> Services ?

Here you can add the priority of the login Server.
Cancel
Vote Up 0 Vote Down

Cancel
0 HuberChristian over 7 years ago in reply to mario Andrick

Thanks for this input. Yes I did already set the Precedence of Active Directory under "Firewall Authentication Methods" to the top. It didn't change anything to my behavior.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 7 years ago in reply to HuberChristian

HuberChristian said:

Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

Is this just a logging/reporting problem, or are you not getting the correct firewall rule or web policy applied?

AFAIK, the rules should be applied correctly regardless of how the naming looks like.

Under Authentication \ Users do you have one user or two?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Michael Dunn over 7 years ago in reply to HuberChristian

HuberChristian said:

Users coming from NTLM are looking like benutzername@mydomain.local. XG Firewall does not recognize that benutzername and benutzername@mydomain.local are the same User.

Is this just a logging/reporting problem, or are you not getting the correct firewall rule or web policy applied?

AFAIK, the rules should be applied correctly regardless of how the naming looks like.

Under Authentication \ Users do you have one user or two?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 HuberChristian over 7 years ago in reply to Michael Dunn

Michael Dunn said:
Under Authentication \ Users do you have one user or two?

I have two users. The one from the AD, and the one created by NTLM.
Cancel
Vote Up 0 Vote Down

Cancel