Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 12412 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS Authentication w/ Microsoft NPS- Starter Connection Request Policy?

Andrew Schaner

Hi all!

 

Background:

I'm looking at Sophos UTM 9 as a remote access (SSL) VPN server w/ RADIUS authentication. The RADIUS server is Windows Server 2016 running NPS. I've added NPS as an authentication server in WebAdmin and test server settings passes.

However, authenticate example user fails. Looking at the Windows NPS logs, each example user attempt results in an error code 49- incorrect Connection Request policy.

Question:

Is there a bare-bones Connection Request policy out there to test with? I'm new to RADIUS and Sophos' documentation was less than helpful (could be my skill level though, too).

Thank you in advance!



This thread was automatically locked due to age.
  • 0

    Hi Andrew and welcome to the UTM Community!

    No need to use RADIUS - take a look at Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for your welcome and suggestion!

    Unfortunately, proxy isn't what we're looking for. Was looking to leverage remote-access SSL VPN. But that's good to know when we look toward proxy.

    Thanks,

     

    Andrew

  • 0 in reply to Andrew Schaner

    SSL VPN Remote Access works like a charm with AD.  Just create a Security Group in AD named, e.g., "SSL VPN", assign members to it and use that Group in a limited Backend Group in 'Users and Groups' in an SSL VPN Profile.  You'll also want to drag that group into 'Groups' in 'Prefetch Directory Users' on the 'Advanced' tab of 'Definitions & Users >> Authentication Services'.

    Cheers - Bob
    PS Moving this thread to the VPN forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    If you want to use RADIUS...

    It's not just a case of adding NPS services to Windows Server and then pointing UTM at it - you have to configure policies on the NPS control panel in Windows to allow VPN connections  - see https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-nps

    Best way to test is to try connecting the VPN - the test tools in UTM/XG can be a bit flakey.  Look at the NPS logs in windows event viewer to see if the connection is being authenticated.

  • 0 in reply to Shaun Raven

    Thank y'all for your prompt replies :) I failed to include in my initial post I do have test policies in place.

    Despite the policies being the most permissive, the Windows NPS logs throw errors 48/49- no applicable policies were found to permit the request received from Sophos.

    Connection Request Policy:

    * Enabled

    * Type of network access server: unspecified

    * Conditions: Day and time restrictions- permit all

    * Authentication Methods: override network policy authentication settings; all EAP allowed

    Network Policy:

    * Enabled

    * Grant access

    * Type of network access server: unspecified

    * Conditions: Day and time restrictions - permit all

    * Constraints: All EAP types enabled, all Less secure authentication methods enabled except Allow clients to connect without negotiating an authentication method

    * Settings: None

  • 0 in reply to Andrew Schaner

    As I said, have you tried a real VPN connection, rather than the SOPHOS radius test?

  • 0 in reply to Andrew Schaner

    Funny, Andrew, I don't know why I copied that section about the HTTP Proxy from my list of Community Links.  It does address Backend Groups based on AD, but ???

    All of my clients that have AD use AD Backend Groups to authenticate SSL VPN Remote Access.  I only recommend RADIUS for IPsec, PPTP and WPA2 Enterprise auth with Wireless Protection - otherwise, it's just a hassle to use this "ancient" (eight+ years older than AD) method that, in essence, rides on top of AD.

    Cheers  Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML