Sophos XG detect wrong user group

Hi everyone,

I'm using SFOS 17.5.7 MR7. I having an issue about user group.
I have Active directory server as a authentication server. I have some group for user where i can apply policy for each. 
This was running fine. But recently I notice some users are associated to wrong group.
For example I'm an IT, I supposed to be in IT group, but Sophos XG put me in Staff group, which is a default group I set in Authentication server list. 
And the most weirdest thing is that although XG put me in Staff group, it applies the IT policy for me. In IT policy, I only put IT group in Identity. 

I checked all the configuration following the KB https://community.sophos.com/kb/en-us/123158 and https://community.sophos.com/kb/en-us/123161 and I'm quite sure I did right.

But I have no idea what's wrong with my XG. Could you please advice?

  • Hi,

    Do you belong to IT group and Staff group?

    Please check followinf Sophos KB: https://community.sophos.com/kb/en-us/123161

  • In reply to Dimitar Nikolov:

    So lets wrap up.

    XG can actually work with multiple groups in the backend.

    It will not be displayed in the GUI, but XG knows all User Groups. 

    The Default Group (Primary Group) on XG is for certain points like digest etc.

    But Firewall Policies and Web Filter works with multiple Groups. 

     

    Like you said: 

    And the most weirdest thing is that although XG put me in Staff group, it applies the IT policy for me. In IT policy, I only put IT group in Identity. 

     

     

  • In reply to Dimitar Nikolov:

    Thanks for your all response. In AD, i belong to domain users group (primary group) and IT group.

  • Hello

    i have troubles with XG conected to multiple AD's, that is not reconized correctly the usersgroups, and put them in the default open group.

    case #8896626 is opened since weeks without any construtive answer. from support...

  • In reply to guillaume bottollier:

    It seems to be s bug of new OS. What version are you using?

  • In reply to The Do:

    Hello

    i am using v17.5.7, the most stable firmware ever released...

  • In reply to guillaume bottollier:

    As previously said, this is not a bug. It is a feature. 

    XG reads all groups (created on XG) from the AD, stores this information in the Backend and uses this for Firewall and Proxy.

    So called, if you have a User in IT and User for example, and you create a firewall Rule with Group IT, this Firewall Rule will be used. 

    Firewall Rule uses "first match". 

    There is a Bug in Firewall Policy Tester, which does not deflect this behavior. The Firewall Policy Tester only uses the Primary Group - So this will give you a wrong output.

    But the firewall Rule will work properly. 

     

    The Question is, what do you want to archive? Such Setups with multiple groups in it can be very complex. 

  • In reply to LuCar Toni:

    I just realise one more weird thing. I set traffic shaping for IT group is unlimited. The fw put me in staff group, which supposed to have 8Mbps. When I test the bandwidth, it’s unlimited (???). But when i show fw log, it shows i’m applied the rule for Staff (based on the Rule ID). I’m really really so confused.

  • In reply to The Do:

    Firewall Traffic Shaping will be above the direct User / Group Shaping.

    So if you have a User ,which is in both Groups, but you have two rules (1. IT 2. Staff), then the IT Rule will hit and the Traffic Shaping of IT will take place. 

  • In reply to LuCar Toni:

    I’m a member of only IT group in AD.

  • In reply to The Do:

    Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD). 

     

    So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

    Which groups did you import on XG? 

  • In reply to LuCar Toni:

    Hi,

    Each user belongs to 2 groups, the primary group Domain users and either one of three group: IT, Staff, Faculty. 

    I just imported those 3 to AD. I didn't import Domain users group. 

  • In reply to LuCar Toni:

    hello  

    in my case, i have many AD's registered on the XG, with many groups imported for each.

    in certain cases, for certain users, the group is not recognized and classify by the XG as open group, even if the user is only member of on group, correctly imported in the XG.

    As i told you, case is dealt by level 3 since weeks without any news..

  • In reply to guillaume bottollier:

    Well I think Sophos just put user in default group. In your case, it' Open group. 

  • In reply to The Do:

    Please do not mix two different issues in one Thread. 

     

    First of all, did you actually order the Groups on XG? 

    Second, could you please share a screenshot of one User and the group tab?