VPN and SSO authentication

Hello

I'm connecting a remote branch office to the main office via VPN (PPTP) connection. In the main office there is a XG Firewall, in the branch office a mikrotik router. I need to authenticate my remote users by using a Domain Controller located in the main office. Currently, in the main office the Active directory and SSO integration works correctly. I can authenticate the users in the remote office with the AD, but in the XG Firewall, the traffic of the remote users appears with the VPN user, not the AD user. How can I mark the traffic of the remote users with the AD user, not with the VPN user?

Thanks

  • Juan,

    in order to use PPTP/L2TP-IPSec along with AD users, you need to configure Radius. See the following thread:

    https://community.sophos.com/products/xg-firewall/f/authentication/75405/problems-with-ad-authentication-and-pptp-vpn-access/290147#290147

    Regards

  • HI Juan ,

    If you are using a AD authentication and Would need to check if the priority of the Authentication server is set to primary of the AD you wish to authenticate from . As for the XG users you may remove local and with AD you may need to use PAP instead of MS-CHAPv1/2 .

  • Thanks for your answers.

    The problem was that for the UTM, the traffic originated in the branch office was seen with the public IP address of the MikroTik router because for the UTM the PPTP connections are "Remote Connections ". The solution was to establish an IPsec site-to-site VPN between the UTM and the MikroTik Router. Now I can authenticate the branch users with the Domain Controllers of the main office and route all the branch office traffic through the main office UTM and apply user based Firewall rules. 

    However, I have a problem with server publication on the branch office. Is strange because I can ping the remote server from the UTM, but the server publication through the UTM public IP address doesn't work. May be a IPsec routing problem?

    Regards

  • In reply to Juan Pablo Lopez Martinez:

    HI Juan, 

    Could you post a diagram (may change the address) and let us know if the issue is with the authentication or Internet traffic.