Our customer is looking for a firewall replacement product for TMG 2010. The customer uses a lot of different firewall access rules for various user groups to allow fine-grained remote access using L2TP/IPSEC. The customer is currently using AD users and groups for authentication, but needs to implement RADIUS authentication in the future to use MFA for the remote users. The product chosen for MFA is ESET Secure Authentication.
After looking into the Sophos UTM guides, I have discovered the following potential problems:
- Fine-grained access for remote users
Is UTM able to match RADIUS authenticated remote users against local or AD users (and groups) to allow fine-grained access control? TMG was able to match RADIUS users (usernames) against domain users, thus it was possible to use domain groups for access control even though the Users were authenticated by RADIUS. We’d need similar functionality, however it’d be fair enough if UTM could match RADIUS users against a local user database.
- PAP password authentication for L2TP/IPSEC
ESET Secure Authentication MFA uses a method of “merging” the users AD password with the OTP token when the user enters the password. However, for this method only PAP password authentication is supported for the L2TP/IPSEC connection, which UTM does not seem to support. Would it be possible to get this working with UTM?
Additionally, the customer uses windows (7 to 10) integrated VPN clients (distributed via CMAK files) for their remote warriors. Can you confirm that Sophos UTM works flawlessly with these clients? Also in terms of remote access routes distributed via DHCP options for the L2TP clients? The clients do not use the “default gateway on remote network” option to only pass traffic destined for the customer’s network into the tunnel.
This thread was automatically locked due to age.