Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 1494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS for UTM Webadmin?

LeeSentell

Currently using RADIUS to authenticate users for VPN (L2TP). Works fine.

I have been instructed to add 2FA to the UTM for both VPN and for WebAdmin. We use Duo for 2FA.

I set up a Duo proxy server as described in multiple documents and tied it to the UTM using RADIUS. The problem: how do I specify which users can get to WebAdmin or not? As it stands right now, the UTM sees all RADIUS users the same, so anyone with RADIUS access would be able to get to WebAdmin. Clearly I don't want every single user to have access to WebAdmin.



This thread was automatically locked due to age.
  • 0

    Hi LeeSentell,

    for users who need access to webadmin, the users have to be entities on the UTM, this way the user have an account on the UTm already, rather than authenticating with an external source (which effectively what RADIUS is).

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Okay, then how to provide 2FA for WebAdmin logins? Duo's proxy server provides RADIUS and the UTM is supposed to obtain authentication in that way from the proxy server, according to Sophos docs.

    We have both admins and users configured with Duo. How to ensure that only admins can get access to WebAdmin and not users?

  • +1

    You have a bit of a problem, but it can be overcome with difficulty.   UTM does not know how to retrieve group membership from RADIUS.

    1) Create a new local group.

    Definitions & Users... Users & Groups... Groups (tab)... New Group

    I will assume the group name is "IT Network Admins".

    Group Type is "Static Members". 

    2) Navigate to Management... WebAdmin Settings... General (tab)...

    Add "IT Network Admins" group to the list of Allowed Administrators.

    3) Assuming RADIUS logins do not create a local UTM user, you have to create them manually.

    Definitions & Users... Users & Groups... Users (tab)... [New User]... 

    Ensure that the UTM username exactly matches the RADIUS username.

    Specify Authentication Remote.   

    Repeat for each person who will be using 2FA for WebAdmin.

    3) Configure membership of the "IT Network Admins".

    Return to the group definition and populate it with you admin users.

    4) Have the users configure their DUO 2FA settings.

Unfiltered HTML