Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authentication mechanism order of preference

Hi, what are the order of preference that XG uses to authenticate a client?


I have a specific case in one of our customers that has many UPN suffixes on its Active Directory domain (Office 365) and also, we are using Sophos Central Endpoint so, we were having a situation where the client was unable to authenticate using Heartbeat because of the user's UPN.

So we have disabled the authentication through Heartbeat method following this KB community.sophos.com/.../133190 and started using only STAS, but the problem is, we can not rely on STAS's logoff detection, or inactivity timeout, we want to assure that if a user reboot its computer the firewall will automatically log out that user, and with our experiments, only Heartbeat do it well.

So if we add one authentication server for each UPN to solve the problem with Heartbeat, and configure STAS, wich mechanism will be used first?

Sorry for the long question.
Thanks



This thread was automatically locked due to age.
Parents
  • Actually all of those will be used.

    They will overwrite each other, because basically the same kind of information should be there.

    STAS and HB User ID will show the same user and the "slowest" of both will be shown as Mechanism in Live User. 

     

    HB will work, if, as you said, you create multiple AD Servers in XG with each Domain on it. 

    There are limitations in creation (Same IP cannot be used multiple time).

    Simple workaround: Create multiple DNS records on XG for the same AD server. 

     

    AD Server 192.168.1.10 

    AD1 : 192.168.1.10

    AD2: 192.168.1.10

    AD3: 192.168.1.10 

     

    Therefore you can use multiple AD server on XG for the same AD, but can use different Domains.

    Repeat this process until you have all domains covered in your Domain.

     

    __________________________________________________________________________________________________________________

  • Thanks for the reply Lucar,

    So, as you said, if I want to achieve the desired behavior I must disable STAS right? Because if the machine is rebooted, STAS won't let the user to be logged out from firewall, right?

  • I would not run multiple Authentication methods at the same time.

    IF you have a full Heartbeat Setup, go with Heartbeat User ID and leave STAS disabled. 

    If there are systems, which needs STAS, you could explicitly include them in STAS and exclude your HB Systems. 

     

    __________________________________________________________________________________________________________________

Reply
  • I would not run multiple Authentication methods at the same time.

    IF you have a full Heartbeat Setup, go with Heartbeat User ID and leave STAS disabled. 

    If there are systems, which needs STAS, you could explicitly include them in STAS and exclude your HB Systems. 

     

    __________________________________________________________________________________________________________________

Children