Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 2 answers
  • Subscribers 46 subscribers
  • Views 80988 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO Transparent Authentication "How To"

David Campos

Hi,

We are with difficulty for authentication client on SSO mode(Single Sign On) transparent authentication.

I found a "How to" in site Sophos Community (community.sophos.com/.../123159) but using client "Sophos Single Sign-On Client" installed on workstation. We need to authenticate our windows AD users whithout  installing any client, Sophos SSO seems the way to do that but im not been able to do that. Users from AD are autenticating in user portal succesfully but SSO is not working properly as we required.

In latest version it was necesary to insert firewall into AD. but in new version i can not see where to do that, and i do not know if it is necessary.

Thank you for help!



This thread was automatically locked due to age.
  • 0

    .David, there is another thread that describes the how to of AD SSO. Following steps:
    1. Create an active directory authentication server (system - authentication -authentication Server)
    2. Set the authentication method for firewall to the AD server (system - authentication - authentication services)
    3. use the group import wizzard to import the necessary groups of AD. ( a button next to the edit button of of the created AD Server)
    4. Setup 2. policies. 1. network policy with drop action for the network traffic and 2. a user based policy with accept for the same direction with the permitted ports. into the second policy you have to configure the user groups you want to permit for this traffic.
    5. Configure your browser to use and transmit the windows credentials. IE does that per standard, Firefox has to be configured to do that: www.liquidstate.net/.../.
    unfortunately the log does not show how long the request than takes.
    In my Lab it does work for the internettraffic and browsing without getting a popup. But it seems to ne slower.
    Let me know if it helps.

    Christian

  • 0 in reply to ChristianKüppers
    Christian

    I performed the suggested steps, but it still fails. When trying to browse the station that is in the domain, presents the captive portal login screen.
    Any other suggestions.

    Thanks again!
  • 0
    Here is the entire Configuration in a nut shell. Please undo everything you did with SSO client. One of the best things i Like about the XG firewall SSO is it never uses/exchanges users "Password" with the AD in the whole Client less SSO process

    1. You need to Integrate the Active Directory with the XG firewall and make sure the integration is successful.
    community.sophos.com/.../123155 (Using SSL for integration is an optional config, I recommend use the normal config and if this document works try implementing the SSL)

    2. How do you test if the integration is successful? just login to http://firewallip:8090 and authenticate with a user and verify if its successful and if the user is falling in the correct group in the XG firewall. you can check this under System --> Authentication --> Users

    3. Follow this document from there on
    community.sophos.com/.../123156

    The only place where you might the problem is when you start the STAS service you might see a logon failure you need have to go to services and open the properties of the STAS and under logon (Re enter the password)

    Make sure the WMI polling is working from the Active Directory, you can check it from the advanced tab on the STAS suite or from the windows machine itself

    Start --> Run --> wbemtest.exe ==> \\ipofworkstation\root\cimv2 --> Query --> select username from win32_computersystem --> Click on Win32 computersystem = Nokey and properties you should see the username.

    Note: WMI should be successful for the STAS to work smoothly because the STAS uses WMI as a log off mechanism to verify the users

    Please let me know if you have an issue even after I can give you further instructions.

    Thanks,
    Kranthi
  • 0 in reply to Kranthi
    Hello Kranthi,
    this is a very good guide.
    The access to the Internet only works when the user once authenticate on http://IPADRESS-FW:8090. Then the users are created on the firewall. And from then does the Internet access.
    Why it does not work automatically ?. Do you have any idea?
    Best regards Eugen
  • 0
    I am unable to install the STAS client on my AD server. When I got to Objects > Assets > Authentication Clients i get a blank page. When I log into the web portal under admin acount and click download client it downloads but the file is 0 bytes. I trief the download on the web portal on multiple computer as well
  • 0 in reply to slebreton
    Slebreton,

    connecting to XG using ssh, do you find something inside "/content/client_auth_1.x/version/stas ?

    The XG should download client when you install it (update from Sophos websites).

    Luk
  • 0 in reply to lferrara
    How do i check that location? when I connect ssh I get main menu with 8 different choices?
  • 0 in reply to slebreton
    Slebreton,

    connect to XG lan IP using SSH. At menu option press 5 then 3.
    Now move to folder I wrote before and check the content.

    Luk
  • 0 in reply to lferrara
    when i get to fold client_auth_1.00 there is folder 1.0.001. Inside of that folder is blank, in between your last reply and now I have also redownload the XG firewall and reinstalled as well
  • 0 in reply to slebreton

    This is what you are supposed to see.

Unfiltered HTML