Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended read describes how to use Azure MFA for SSL VPN and User Portal.

Inspiration for this post was taken from https://rieskaniemi.com/azure-mfa-with-sophos-xg-firewall/

One of the things that I’ve seen at work is that Sophos Firewall VPN users are using one token for Sophos SSLVPN and another, for example, Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using can do the “pop-up”, letting the user easily sign in like this:

Nonetheless, it’s easier for the IT dept. (and the user!) to maintain only one token solution 

Here is the auth flow for Azure MFA with NPS Extension:

Nice, isn’t it 

So how to fix it?

Radius Validation

We set up Sophos Firewall for RADIUS validation for SSLVPN and UserPortal access. If you use the built-in OTP solution, turn it off. 

To get started:

• If you don’t have MFA turned on for your Office 365/Azure AD accounts, you can turn on it through the following link: https://aka.ms/mfasetup
• Of course, you need to set Azure AD Connect to get your on-premises talking with Azure. I won’t go into the details here, as I assume this is already set and working. 

Let’s go:

1. Install the Network Policy Server (NPS) role on your member server or domain controller. Referring to the Network Policy Server Best Practices, you will find this: “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we’ll go ahead and place this on the domain controller, but remember, it’s also possible to do it on a domain-joined member server!

2. Press “Next,” and the installation begins:

3. After installation, Download and install the NPS Extension for Azure MFA here:
4. https://www.microsoft.com/en-us/download/details.aspx?id=54688

Note: As I did try this on a server with already set NPS, it failed with the other mechanisms because of this:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa”

Control RADIUS clients that require MFA

Once you turn on MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one.

Configure RADIUS clients for whom you want to require MFA to send requests to the NPS server configured with the extension and other RADIUS clients to the NPS server not configured with the extension.”

So the “workaround” is to run the MFA for the Sophos on a separate NPS instance 

1. After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
   https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-director
2. Go and configure your radius Client. Here it’s the Sophos Firewall:

   Remember the secret. We need it later on.

3. Create a “Connection request policy”:
   

   Type here the IP of the Sophos Firewall

   Just set like above, and the rest of the settings, leave them to their defaults 

4. Now, create a “Network Policy.”

   Add a domain group that shall have this access. To simplify, here I have chosen domain\Domain Users.
   Now, for the EAP types, XG does only support PAP, as far as I have tested:

   
   You’ll get a warning that you have chosen unencrypted auth (locally—not on the internet!). Just press OK.
   Just leave the rest to their defaults and save the policy.

5. Now, to create a firewall rule:

6. Now, to set the XG for this:

   Press ADD. Remember to choose RADIUS:

   Fill in as your environment matches:

   Type in the secret you wrote down earlier and create a host object for your NPS. Also, remember to change the timeout from 3 to 15 seconds!

   You can now test if NPS and Azure MFA authentication is working. Change the Group name attribute to “SF_AUTH”

   Press the TEST CONNECTION button:

   Type in a user username (email address) and password, and your phone must pop-up with Microsoft Authenticator 

   You must see this soon after you accept the token:

7. Now head over to the Authentication –> Services section:

   Add the new RADIUS server to:
   – User portal authentication methods
   – SSL VPN authentication methods

   Also, make sure that the group your AD / RADIUS users are in is added to the SSLVPN profile:

8. Now login to the User Portal and download a VPN client (You can't use the old ones if you already had those installed)
9. Now connect through VPN, type in your full email username and password, then wait for MS Authenticator to pop-up, accept the token, and you’re logged into VPN. 

UPDATE: 20/11-2023

Due to recent changes in the module and Entra, you’ll need to add this to the registry of the NPS server:

1. On the NPS Server, open the Registry Editor.
2. Go to to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
3. Create the following String/Value pair:
   • Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
   • Value = FALSE
4. Restart the NPS Service.

WHY: How number matching works in multifactor authentication push notifications for Microsoft Authenticator | Microsoft Learn

References: 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

https://community.sophos.com/kb/en-us/127328

Source: https://martinsblog.dk/sophos-xg-use-azure-mfa-for-sslvpn-and-userportal/