Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add domain user account as administrator.

On UTM 9, I had it setup to use some domain accounts as administrators of the appliance. In XG I can add the DC's for authentication servers, and set it so they are in order of the auth services, but I don't see where I can add or define a user account from the domain as a Sophos Administrator.

Does anyone have some steps on this, or maybe some pointers?

So far I have:

  • Created an authentication server and tested.
  • Imported groups via the import wizard on the auth server that was added. (no import users option, just groups, and I can see groups from the domain.)
  • Authentication services I've added the server as the firs in the list of selected authentication servers and set default group to the group my admins are a member of. And then used the firewall methods that are setup for the rest of the auth methods.

I haven't seen where I can import a user, nor in the creation of a user do I see where I can say it's a domain user. When trying to sign on, it rejects authentication with a simple "Login Failed."

The admin logs show the user failed due to "wrong credentials". (valid creds are being used, they work on UTM9 for domain logon and the system I'm logged into to connect to XG.)

Any input would be appreciated!



This thread was automatically locked due to age.
Parents
  • In the XG firewall you can add allow the administrative access to a security groups in AD, its different from what you have seen in the UTM appliances.Initially when you integrate the firewall with the Active directory and Import the groups XG firewall only imports the Groups and not the users inside the group.

    The bottom line is Active Directory Users can login to the XG firewall using their domain account but there was a couple of steps added to this. If an user xyz@domain.com would like to manage the appliance, there were 2 additional steps added before we can achieve this 

    Step 1 involves the System>Authentication>Authentication Services Make sure the Active directory server that was added earlier is selected under Administrator Authentication Methods and Firewall Authentication Methods 

    Step 2 The admin user from AD have to login to the user-portal @ https://ipofXGfirewall if he is connecting from WAN or simply login to the captive-portal if the admin user is behind the firewall. The intention behind this behind the firewall will auto create the user account for the admin users. 

    Step 3: The super admin user have to approve all the admin users from the Active Directory Manually this can be done under objects > identity > users  (This is just for additional security reasons) attaching a screen shot below for your reference. 

  • Ok I have checked and when using a domain user to authenticate to the portal at https://ipofXGfirewall, I see successful authentication events on the DC's. (As well as failed auth events when I purposefully put in an invalid password.)

    However, I continue to receive "Login Failed" on the portal and no user is automatically created in XG users.

    To recap, course of events:
    1. DC is added as auth server. Test option performed and successful.
    2. Import of groups.
    3. Set auth services to use DC as first in list. and group to one of the groups imported. (user is member, for test I even tried Domain Users.)
    4. Sign in to https://ipofxgfirewall
    5. receive "Login Failed".
    6. Logs in XG show failed because of wrong credentials.
    7. Confirmed in domain controller that the security event was a successful authentication attempt.
    Also confirmed a failed attempt reports correctly.

    So at this point while I see the auth attempts making it to the DC and being validated as a success, the XG is failing and not creating the user. (I assume the login failed is simply because the user does not exists locally in the XG's user list at this point.)

    I will do some additional testing this weekend, but I would also like to submit an enhancement request.

    Story: As a firewall administrator, I would like the ability to create a domain user in the users list manually, so that the user may be staged as an admin and authenticate as such.

    Thanks.

    EDIT:

    Noticed these in the access_server.log:

    ERROR Nov 13 22:21:12 [4135582528]: adsauth_authenticate_user: '10.100.1.11:636':(filter: '(sAMAccountName=jonathan)') USER not found
    ERROR Nov 13 22:21:12 [4141873984]: pg_db_handle_authenticate_user: No rows found
    ERROR Nov 13 22:21:12 [4144678656]: check_auth_result: VPN/SSLVPN/MYACC Authentication Failed

    I'm not sure of your error structure, but to line this up with the successful DC event:

    A logon was attempted using explicit credentials.

    Subject:
    Security ID: SYSTEM
    Account Name: <masked>
    Account Domain: <masked>
    Logon ID: 0x3E7
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:
    Account Name: jonathan
    Account Domain: <masked>
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:
    Target Server Name: localhost
    Additional Information: localhost

    Process Information:
    Process ID: 0x204
    Process Name: C:\Windows\System32\lsass.exe

    Network Information:
    Network Address: 10.100.1.254
    Port: 59856

    This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

  • In authentication Server edit AD and insert "Search Queries" with dc=domain,dc=local.
  • That did it, thanks!
    Always is the one right in front of me I miss.
Reply Children
No Data