Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 4536 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access with Radius & AD

Louis-M

If I set up remote ipsec access and select a user with remote authentication.

I have radius (position 1) & AD (position 2) as remote authentication because i want to use AD for some forms of authentication eg browsing etc

I've noticed that if a remote user fails the radius authentication, they then drop down onto the AD authentication.

I do not want to use AD authentication for ipsec, only radius. Is there a way to do this?



This thread was automatically locked due to age.
Parents
  • 0

    If the User fails RADIUS auth, why would he pass AD auth?  If that happens, then you probably need to rethink the Backend Group definition(s) used in the IPsec Remote Access Rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    We use AD & STAS for our web filtering for 600 users.

    We have vpn users which we authenticate via Radius. These users are in an AD group and we want them to use the same domain password. We also have a group for wireless authentication in Radius. It gives us more finite control.

    I think the UTM should offer what type of backend authentication you want to use for each module eg radius for wirless, AD & STAS  for web, rather than just group the users in "backend authentication" in which the only control you have is the order in which the authentication is run.

Reply
  • 0 in reply to BAlfson

    We use AD & STAS for our web filtering for 600 users.

    We have vpn users which we authenticate via Radius. These users are in an AD group and we want them to use the same domain password. We also have a group for wireless authentication in Radius. It gives us more finite control.

    I think the UTM should offer what type of backend authentication you want to use for each module eg radius for wirless, AD & STAS  for web, rather than just group the users in "backend authentication" in which the only control you have is the order in which the authentication is run.

Children
  • 0 in reply to Louis-M

    Again, Louis, I can't see exactly what you need to do, but my guess is that you're making a false assumption somewhere and have not structured your Backend and AD Groups to fit your needs.  None of my clients has this problem with RADIUS and AD.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    we use AD and stas for all of our users on the web proxy. So everybody can get out to the web.

    However, we have certain users that we want to vpn in. In AD, we create a VPN group and add the users to this.

    In Radius, we say that the vpn users must be a member of this group. So, we put this user into the vpn on the UTM.

    I then watched the user fail radius authentication because of a radius policy that wasn't set up right. However, they still managed to log on because they were authenticated in AD.

    Now we could alter AD and limit the AD query to a certain OU etc but should we have to?

    I think the UTM would be better with the ability to select what type of authentication you would like for which module.

  • 0 in reply to Louis-M

    You can make that suggestion, Louis.  In the mean time, in the UTM, if you haven't already done so, you need to create a Backend Group based on the AD VPN Group.  Next, add a new Policy at the top in Web Filtering that assigns the desired Filter Action (maybe a new one) to the Backend Group.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML