Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 4687 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL-VPN and User Portal Self Service (Group Memberships)

kerobra_retired

I have the following situation:

- a customer uses two-factor authentication (Safeword Tokens) via RADIUS for external access.
- I want to enable the users to download the SSL-VPN client from the User Portal, if needed for a new device (in home offices).

I actually configured the User Portal only to be accessible from internal network, allowed users are "Active Directory Users" to keep it simple for them (password). The remote access profile is enabled for "RADIUS Users" and this results in users that are successfully authenticated to the User Portal not being able to see the Remote Access tab. If I allow "Active Directory Users" in SSL VPN they can see it but they would be automatically able to authenticate to SSL-VPN without the Token passcode.

If I try to set the User Portal for "RADIUS Users" they cannot authenticate even if the IAS log says the authentication for the user was successful.
Is there a way to achieve my goal at all?



This thread was automatically locked due to age.
Parents
  • 0

    "The remote access profile is enabled for "RADIUS Users" and this results in users that are successfully authenticated to the User Portal not being able to see the Remote Access tab."

    Interesting, Kevin.  This appears to say that a remote access user authenticated with RADIUS cannot be recognized as an Active Directory member by the User Portal.  Is that right?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    mmh don't think that.

    My problem is, that I wanted to enable my technicians to be able to get the user's SSL-VPN configfile, when they deploy a new laptop - and have "access" to the user's password, when he enters it.

    If I only allow RADIUS users for the Remote Access VPN profile a user that authenticates via User Portal (where I allowed "Active Directory Users") cannot see the tab required to download the profile. If I allow "Active Directory Users" for Remote Access VPN they are able to do so, but that would mean that they can use this informations to authenticate to SSL-VPN. RADIUS is not required.

    So I thought I'll give it a try the other way round, by enabling only "RADIUS users" for the User Portal (which means password for the user is "123456abcd" where abcd is a fixed per-user value and 123456 the 6digit Token-ID). But that gives "password error" while trying to log in. In the RADIUS server log on the windows server I can see a successful authentication, but the UTM rejects it. I think that the locally synchronized user (which comes from AD) has other credentials than the RADIUS-user.

    I guess that is because RADIUS is authentication service only while AD can be used to sync users or groups and authentication at the same time.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    mmh don't think that.

    My problem is, that I wanted to enable my technicians to be able to get the user's SSL-VPN configfile, when they deploy a new laptop - and have "access" to the user's password, when he enters it.

    If I only allow RADIUS users for the Remote Access VPN profile a user that authenticates via User Portal (where I allowed "Active Directory Users") cannot see the tab required to download the profile. If I allow "Active Directory Users" for Remote Access VPN they are able to do so, but that would mean that they can use this informations to authenticate to SSL-VPN. RADIUS is not required.

    So I thought I'll give it a try the other way round, by enabling only "RADIUS users" for the User Portal (which means password for the user is "123456abcd" where abcd is a fixed per-user value and 123456 the 6digit Token-ID). But that gives "password error" while trying to log in. In the RADIUS server log on the windows server I can see a successful authentication, but the UTM rejects it. I think that the locally synchronized user (which comes from AD) has other credentials than the RADIUS-user.

    I guess that is because RADIUS is authentication service only while AD can be used to sync users or groups and authentication at the same time.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children
  • 0 in reply to kerobra_retired

    I think this is a known problem, Kevin.  In fact, I think if you were to enable a zero-access SSL VPN Profile for folks so that the 'Remote Access' tab would appear, you still wouldn't see the L2TP/IPsec option for RADIUS-authenticated users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML