Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add domain user account as administrator.

On UTM 9, I had it setup to use some domain accounts as administrators of the appliance. In XG I can add the DC's for authentication servers, and set it so they are in order of the auth services, but I don't see where I can add or define a user account from the domain as a Sophos Administrator.

Does anyone have some steps on this, or maybe some pointers?

So far I have:

  • Created an authentication server and tested.
  • Imported groups via the import wizard on the auth server that was added. (no import users option, just groups, and I can see groups from the domain.)
  • Authentication services I've added the server as the firs in the list of selected authentication servers and set default group to the group my admins are a member of. And then used the firewall methods that are setup for the rest of the auth methods.

I haven't seen where I can import a user, nor in the creation of a user do I see where I can say it's a domain user. When trying to sign on, it rejects authentication with a simple "Login Failed."

The admin logs show the user failed due to "wrong credentials". (valid creds are being used, they work on UTM9 for domain logon and the system I'm logged into to connect to XG.)

Any input would be appreciated!



This thread was automatically locked due to age.
Parents
  • In the XG firewall you can add allow the administrative access to a security groups in AD, its different from what you have seen in the UTM appliances.Initially when you integrate the firewall with the Active directory and Import the groups XG firewall only imports the Groups and not the users inside the group.

    The bottom line is Active Directory Users can login to the XG firewall using their domain account but there was a couple of steps added to this. If an user xyz@domain.com would like to manage the appliance, there were 2 additional steps added before we can achieve this 

    Step 1 involves the System>Authentication>Authentication Services Make sure the Active directory server that was added earlier is selected under Administrator Authentication Methods and Firewall Authentication Methods 

    Step 2 The admin user from AD have to login to the user-portal @ https://ipofXGfirewall if he is connecting from WAN or simply login to the captive-portal if the admin user is behind the firewall. The intention behind this behind the firewall will auto create the user account for the admin users. 

    Step 3: The super admin user have to approve all the admin users from the Active Directory Manually this can be done under objects > identity > users  (This is just for additional security reasons) attaching a screen shot below for your reference. 

  • I see what you are saying here, as backwards as the process sounds compared to UTM.

    However first test it did not actually work and still threw the same error. I will work more on it tonight and pull logs from my DC's to see what's coming their way and will report back.

    Thank you for the reply.
Reply
  • I see what you are saying here, as backwards as the process sounds compared to UTM.

    However first test it did not actually work and still threw the same error. I will work more on it tonight and pull logs from my DC's to see what's coming their way and will report back.

    Thank you for the reply.
Children
No Data