We'd love to hear about it! Click here to go to the product suggestion community
TL;DRUsers from external servers (Okta radius) keeps on falling back to default group (open group) after second login even though i'm adding them manually to a different group.Details 1. I've configured my Okta radius agent and integrated it with sophos, users are able to log in to the user portal and sophos is indeed provision those users.2. Once i have a new provisioned user i'm replacing him/her group from the default open group to some other local group (e.g. RnD).3. When they try to access remote VPN they are getting an error stating they cannot log in.4. after checking the admin portal i clearly see that the user was "added back" to the default open group.Same behaviour occurred when trying to add external LDAP server as an authentication source, i was hoping i wont experience thisbehaviour with Radius but i was wrong.Pleas help.This information might helpsophos xg version: SFVH (SFOS 17.5.9 MR-9.HF062020.1)Okta radius group config (from their docs):Step 6 – Use Okta group membership information for authorization (Optional)
You can configure Okta to provide different levels of authorization and access based on the groups to which users belong for a RADIUS-enabled service. Use the following procedure for each app to configure by group membership.
Steps 3-6 refer to the screen shown below.
Specify the Okta groups that you want to include in the RADIUS response if a user belongs to them.
Note: This means that if a user belongs to four groups, but you only list two of the four in this field, Okta will only pass the two groups to your RADIUS-enabled app. Likewise, if your user doesn’t belong to either of the two groups you listed in this field then Okta will not return any group for that specific user.
After successfully completing this configuration, Okta passes group membership information to your RADIUS enabled app or system. You can now log into your app or infrastructure and configure its action based on these specific groups.
Hi Shmulik Ahituv The user Group membership (for LDAP and RADIUS users) will be defined based "Group Name Attribute" set on XG. XG will request that parameter from the LDAP/RADIUS during user login and based on response from server it will check the available group list ( configured group list) on XG. If it will find the response received for group name from LDAP/RADIUS is configured or present on XG group name database then user will became member of that group and if it will not find any matching group name on XG group list then user will became member of Default Group ( which is generally set to Open Group).
So in your case, chances may there the received group name not present in XG group name list and due to that user falling under default group. OR Group name attribute need to set correctly on XG or Group name attribute response coming from server is not giving proper group name details or format.You may check the access server debug logs to verify the response from LDAP/RADIUS for "Group Name Attribute" parameter.#service access_server:debug -ds nosync
In reply to Vishal_R:
Thanks, this helped.Although the access server debug logs are hard to understand and you cant actually see the radius server response i've managed through them to see what is the expected group name attribute-Filter-Id. I'm using okta radius agent and radius app and the group response should be set in the radius app in the okta admin panel.Thanks.