Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 3662 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does the UTM support RADIUS with AD groups and PAP for L2TP/IPSec connections

Tyler Rigward

Our customer is looking for a firewall replacement product for TMG 2010. The customer uses a lot of different firewall access rules for various user groups to allow fine-grained remote access using L2TP/IPSEC. The customer is currently using AD users and groups for authentication, but needs to implement RADIUS authentication in the future to use MFA for the remote users. The product chosen for MFA is ESET Secure Authentication.

 

After looking into the Sophos UTM guides, I have discovered the following potential problems:

 

  • Fine-grained access for remote users

Is UTM able to match RADIUS authenticated remote users against local or AD users (and groups) to allow fine-grained access control? TMG was able to match RADIUS users (usernames) against domain users, thus it was possible to use domain groups for access control even though the Users were authenticated by RADIUS. We’d need similar functionality, however it’d be fair enough if UTM could match RADIUS users against a local user database.

 

  • PAP password authentication for L2TP/IPSEC

ESET Secure Authentication MFA uses a method of “merging” the users AD password with the OTP token when the user enters the password. However, for this method only PAP password authentication is supported for the L2TP/IPSEC connection, which UTM does not seem to support. Would it be possible to get this working with UTM?

 

Additionally, the customer uses windows (7 to 10) integrated VPN clients (distributed via CMAK files) for their remote warriors. Can you confirm that Sophos UTM works flawlessly with these clients? Also in terms of remote access routes distributed via DHCP options for the L2TP clients? The clients do not use the “default gateway on remote network” option to only pass traffic destined for the customer’s network into the tunnel.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Tyler and welcome to the UTM Community!

    There will be things you could do with TMG that you can't with UTM, and vice-versa.  More often, there are different, optimal solutions for a requirement of the two products.

    Since the UTM is in use with multiple types of authentication, it's not as tightly integrated with AD as was TMG.  L2TP/IPsec users can be authenticated with RADIUS, but they cannot be grouped based on membership in an AD Security Group.  Remote Access users have to be synced from AD to the UTM, so it is possible to create firewall rules and Web Filtering Profiles to manage them just as effectively and with the same granularity as you did with TMG.

    Your comment about ESET is confusing to me, so I don't know how to answer this question other than to say that L2TP/IPsec remote users can be authenticated with RADIUS on the UTM.

    Again, L2TP/IPsec in the UTM works with those clients.

    I've not personally used DHCP with the L2TP/IPsec server to distribute routes, but that should be possible.

    In fact, you are asking for reassurance, but the mission of this community is to help each other solve problems.  Rather than ask these pre-sales questions here, you really do want to speak with Sophos Sales.  The pre-sales Engineers are uniformly very knowledgeable and there is no charge to get very-specific technical answers to your questions.  As a moderator, I can see your IP, so I know that you are in a city where a Sophos office is located.  You seem knowledgeable yourself and to have a true concern for your customers, so I'm sure Sophos would like to recruit you as  reseller! [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi Tyler and welcome to the UTM Community!

    There will be things you could do with TMG that you can't with UTM, and vice-versa.  More often, there are different, optimal solutions for a requirement of the two products.

    Since the UTM is in use with multiple types of authentication, it's not as tightly integrated with AD as was TMG.  L2TP/IPsec users can be authenticated with RADIUS, but they cannot be grouped based on membership in an AD Security Group.  Remote Access users have to be synced from AD to the UTM, so it is possible to create firewall rules and Web Filtering Profiles to manage them just as effectively and with the same granularity as you did with TMG.

    Your comment about ESET is confusing to me, so I don't know how to answer this question other than to say that L2TP/IPsec remote users can be authenticated with RADIUS on the UTM.

    Again, L2TP/IPsec in the UTM works with those clients.

    I've not personally used DHCP with the L2TP/IPsec server to distribute routes, but that should be possible.

    In fact, you are asking for reassurance, but the mission of this community is to help each other solve problems.  Rather than ask these pre-sales questions here, you really do want to speak with Sophos Sales.  The pre-sales Engineers are uniformly very knowledgeable and there is no charge to get very-specific technical answers to your questions.  As a moderator, I can see your IP, so I know that you are in a city where a Sophos office is located.  You seem knowledgeable yourself and to have a true concern for your customers, so I'm sure Sophos would like to recruit you as  reseller! [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML