Users keeps on falling back to open group (Default group) with Radius authentication


Users from external servers (Okta radius) keeps on falling back to default group (open group) after second login even though i'm adding them 
manually to a different group.


1. I've configured my Okta radius agent and integrated it with sophos, users are able to log in to the user portal and sophos is indeed provision those users.
2. Once i have a new provisioned user i'm replacing him/her group from the default open group to some other local group (e.g. RnD).
3. When they try to access remote VPN they are getting an error stating they cannot log in.
4. after checking the admin portal i clearly see that the user was "added back" to the default open group.

Same behaviour occurred when trying to add external LDAP server as an authentication source, i was hoping i wont experience this
behaviour with Radius but i was wrong.

Pleas help.

This information might help
sophos xg version: SFVH (SFOS 17.5.9 MR-9.HF062020.1)
Okta radius group config (from their docs):

Step 6 – Use Okta group membership information for authorization (Optional)


  • Hi  

    The user Group membership (for LDAP and RADIUS users) will be defined based "Group Name Attribute" set on XG. XG will request that parameter from the LDAP/RADIUS during user login and based on response from server it will check the available group list ( configured group list) on XG. If it will find the response received  for group name from LDAP/RADIUS is configured or present on XG group name database then user will became member of that group and if it will not find any matching group name on XG group list then user will became member of Default Group ( which is generally set to Open Group).

    So in your case, chances may there the received group name not present in XG group name list and due to that user falling under default group. OR Group name attribute need to set correctly on XG or Group name attribute response coming from server is not giving proper group name details or format.

    You may check the access server debug logs to verify the response from LDAP/RADIUS for  "Group Name Attribute" parameter.

    #service access_server:debug -ds nosync 

  • In reply to Vishal_R:

    Thanks, this helped.
    Although the access server debug logs are hard to understand and you cant actually see the radius server response i've managed through them 
    to see what is the expected group name attribute-Filter-Id.
    I'm using okta radius agent and radius app and the group response should be set in the radius app in the okta admin panel.