RADIUS Authentication + RAIDUS Timeout for MFA Prompt

Hello. We have a MFA platform that can function as a RADIUS server. Any chance we can use a separate RADIUS authentication service and that service's MFA options with Sophos Connect??

  • This should be possible in V18. 

    V18 will implement a Radius Timeout, which will lead to a MFA Support. 

    Did you test V18? 

  • In reply to LuCar Toni:

    I have a box running v18 but not in the production environment that runs our RADIUS server. I'm trying to figure out a way to test and will update if so.

  • I set this up in my lab for testing. The RADIUS server tests fine using the Sophos server test button but switching IPSec authentication to use the RADIUS server causes the Sophos Connect client to fail login. The error in the XG log is "User x failed to login to VPN through RADIUS authentication mechanism because of challenge-response mechanism is not supported by the client"

  • In reply to ken9000:

    Hi Ken, 


    Maybe  can comment on that. 

    Does the Feature with radius authentication works with SSLVPN? Could you try this? 

    Important: Please use for User Portal "also" Radius Authentication. Since V18, you can specify a separate service for User Portal. 

    That is important, because XG will create a new SSLVPN User for Radius, which only will work with Radius. So you have to login as a Radius User in User Portal. 


  • In reply to LuCar Toni:

    Hello Ken,


    You have to login to the user portal and then add that user to Sophos Connect Client policy. Then you connect with Sophos Connect Client to get MFA working.  Make sure you set the timout value to 30 seconds or more upto 60 seconds is the Max allowed.


    Please let us know.




  • In reply to rmk_2018:

    We're trying to avoid the hassle of using the user portal. 1. We don't want it open to the internet. 2. It references the Sophos app and we don't want to have to worry about deploying/supporting another app. Most importantly, 3. we already have a Identity Management Service with an app and MFA that can use RADIUS we want to integrate with.

  • In reply to ken9000:

    Hello Ken,

    With the current implementation in XG firewall, I do not see a way around NOT using the user portal. My understanding is that you MUST have the user login to the user portal in order for XG to register this user first. Then as an XG Admin, you must include this user in the Sophos Connect Client policy. Please correct me if my understanding is not correct.

    Secondly I do not understand the references to the Sophos app. How is this coming into the picture.

    Best Regards,