Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM and Windows 2012 NPS RADIUS fails

So this looks like a very bizarre issue but I have my 2FA (using RADIUS) configured in Sophos.  

All testing in RADIUS portion configuration looks normal.

and even in the RADIUS side (both on the Windows NPS agent and the 2FA components) everything successfully authenticates.

BUT Sophos itself when attempts to use the RADIUS authentication system, it returns an error with no real reason why its failing. (especially since according to all the RADIUS pieces it was a successful submission)

2016:08:31-12:10:46 reno-firewall aua[23749]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="173.164.229.17" host="" user="docm" caller="portal" reason="DENIED"

2016:08:31-12:10:46 reno-firewall aua[23749]: [WARN-070] Too many failed logins
2016:08:31-12:34:24 reno-firewall aua[3354]: id="3006" severity="info" sys="System" sub="auth" name="Child 23749 is running too long. Terminating child"
2016:08:31-12:34:24 reno-firewall aua[24846]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.100.100.127 (radius)"
2016:08:31-12:34:25 reno-firewall aua[24846]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="173.164.229.17" host="" user="docm" caller="portal" reason="DENIED"
2016:08:31-14:07:08 reno-firewall aua[3354]: id="3006" severity="info" sys="System" sub="auth" name="Child 24846 is running too long. Terminating child"
All my other testing shows RADIUS is working and other systems that use this same RADIUS configuration work perfectly well.. its only Sophos that seems to be failing.
I'm running 9.405-5...


This thread was automatically locked due to age.
Parents
  • What is the error that's returned?

    Cheers - Bob

  • The error returned for the client side shows a policy failure (on the Sophos side)..

    But its interesting.. Doing some testing, it looks like RADIUS is just plain broken in UTM 9. There is no way I can set this up with Juniper, Cisco, Citrix, NetScalar, Microsoft, etc.. and they ALL work.. and then Sophos just flat out fails. I'm pretty much at this point am considering dumping the product because I'm spending more time troubleshooting something that should be dead simple (and is for EVERY OTHER product tested) and for one its broken.

    Example, this is a test with VPN (L2TP).  And it seems to send 3 authentications to the RADIUS server (not sure why its not reading the response from the RADIUS Server). This is especially bizarre since I use this RADIUS system for 200 other applications (I happen to work for the 2FA company so I'm pretty well versed with their systems/code).

    But to illustrate, I destroyed my previous radius deployment and started fresh..

    And doing a user test returns this:

    Not sure if you can read the screen, but the text claims its a timeout on the backend, and checking the logs on Sophos, it thinks the RADIUS server is 0.0.0.0

    BUT.. its actually making it to the RADIUS servers

    As I said, in a set of 3. the first two show "success" and the third one ALWAYS shows this.. But its the same request (just repeated)

    Below is an excerpt from the L2TP (IPsec) logs and as you can see.. its failing because its not passing the radius server so it thinks it can't validate.. (and of course its ignoring the response from the RADIUS server)

    Thanks

    DRM

  • On the failures, it says that there's no matching CRP.  How about a picture of the CRP for L2TP/IPsec?

    If you're evaluating the UTM, Sophos has excellent pre-sales engineers.  Their support is free and they're also better-connected with third-level support and the developers.

    Cheers - Bob

    PS By the way, I just noticed you're new here - Welcome to the UTM Community!

Reply
  • On the failures, it says that there's no matching CRP.  How about a picture of the CRP for L2TP/IPsec?

    If you're evaluating the UTM, Sophos has excellent pre-sales engineers.  Their support is free and they're also better-connected with third-level support and the developers.

    Cheers - Bob

    PS By the way, I just noticed you're new here - Welcome to the UTM Community!

Children
No Data