Sophos Firewall: Authentication Methods

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

---

This guide provides an overview of supported authentication methods and configuring them on the Sophos (XG) firewall.

Hotspot

• Hotspot authentication is checked when a hotspot is active on the interface the traffic is coming from. The wireless hotspot authentication is primarily used to provide internet access to guests and restrict unwanted traffic on normal networks. 
  • Sophos XG Firewall: How to set up a hotspot network

Clientless Users

• Clientless users don’t authenticate using a username and password but are identified purely by their IP address. Clientless users are always authenticated locally by the XG Firewall. Typically you would use clientless users to control network access for servers or devices such as printers and VoIP phones. You can also configure people as clientless users, for example, senior executives, for whom you don't want to require a sign-in when they're within the network. If you configure users rather than network devices, we recommend that you map the users with static IP addresses on your DHCP server.
• You can create clientless users individually or as a group. You can then edit each user's configuration and specify the policies and bandwidth usage.
• Clientless users appear as live users in current activities. If you deactivate these users, they don't appear as live users.
  • Clientless users

Single-Sign-On (SSO)

• Configure Active Directory authentication
• Group membership behavior with Active Directory

The XG Firewall has several methods for authenticating users for single sign-on:

Sophos Authentication for Terminal Client(STAS)

• The Sophos Transparent Authentication Suite, STAS, is installed on Domain Controllers and reports logon events to the XG Firewall.
  • Sophos Firewall: Implement clientless SSO in a single Active Directory Domain Controller
  • Sophos Firewall: Implement clientless SSO with multiple Active Directory Domain Controllers

Sophos Authentication for Terminal/Thin Client (SATC)

• Sophos Authentication for Terminal Client, SATC, is installed on Terminal Servers and allows the XG Firewall to identify users based on the source port of the traffic from the Terminal Server.
  • How to set up SATC
  • Set up SATC with Sophos Server Protection

Synchronized User Identity

• Synchronized user ID authentication uses the Security Heartbeat to provide user authentication for endpoint users.
• Synchronized user ID works with Active Directory (AD) configured as an authentication server in Sophos Firewall and is currently supported for Windows 7 and Windows 10. No agents are required on the server or clients, nor does it share or use any password information. The synchronized user ID doesn't work with other directory services, and it doesn't recognize local users. The synchronized user ID shares the domain user account information from the endpoint device the user is signed in to with Sophos Firewall via Security Heartbeat. Sophos Firewall then checks the user account against the configured AD server and activates the user.
• Sophos Endpoint Protection passes Windows sign-in information to Sophos Firewall. Sophos Firewall uses this information to authenticate against AD. This authentication is used to trigger user-based policies and general user authentication on the firewall.
  • Synchronized user ID authentication

VPN SSO

• When users are connected to the XG Firewall through a remote access VPN they are automatically authenticated with the firewall seamlessly. Please note that in the case of HA failover, users will have to reconnect to the VPN tunnel as they will be disconnected, and the user will be logged out of the firewall.
  • Sophos XG Firewall: How to allow Clientless SSO (STAS) authentication over a VPN

RADIUS SSO

• The Sophos XG Firewall can transparently authenticate users who have already been authenticated on an external RADIUS server. The firewall does not interact with the RADIUS server, but simply monitors the RADIUS accounting records that the server sends. These records generally include the user’s IP address and user group.
  • Configure RADIUS authentication

Kerberos/NTLM SSO

• The XG Firewall also supports single sign-on for web traffic using Kerberos/NTLM authentication requests.
  • Configure LDAP authentication
  • Turn on Kerberos authentication

Chromebook SSO

• XG Firewall provides a Chromebook extension that shares Chromebook user IDs with the Firewall to turn on full user-based policy enforcement and reporting.
  • Configure Chromebook single sign-on

Authentication Agent

• The authentication agent client can be downloaded from the User Portal. Once installed, the user can enter their credentials and save them so that it’ll authenticate with the firewall every time they login.
  • Sophos XG Firewall: Client Authentication Agent
  • Sophos XG Firewall: How to install and configure Sophos General Authentication Client for Mac OS Catalina

Web (Captive Portal) Authentication

• Captive Portal is the web-based authentication method where users get an authentication page within the browser.
  • Web (Captive Portal) authentication

---

Related Links

1. Sophos XG Firewall: How to allow branch office users to authenticate with the head office Active Directory Server
2. Sophos XG Firewall: How to allow Clientless SSO (STAS) authentication over a VPN

Updated Disclaimer
[edited by: Erick Jan at 9:02 AM (GMT -7) on 17 Apr 2023]