Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall authentication methods into a default group but need it to split i

Hi there!

I´m using a Double Authentication Factor for my users with the Firewall authentication methods option on a Firewall XG.

· The thing is that all users that authenticate are coming by default to one group "Open-Group" (You can choose different one, but just one).

  After it, I move the user to another groups where I have set up in some rules, but when the user comes back to connect using the Double Authentication Factor, the user      disappear from the Group where I have putted and moves again to the default group "Open-Group".

- Is there any way to block the user in one Group?

- Is there any way to have more than one group to use in the option Firewall authentication methods?

 

Any advice or workaround will be appreciated!!

Regards

      



This thread was automatically locked due to age.
Parents
  • Hi  

    I would request you to refer to the article - https://community.sophos.com/kb/en-us/123161 to understand Group membership behavior with Active Directory.

    To import groups - https://community.sophos.com/kb/en-us/123158

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello,

    Thanks for the answer, but this is not what is happened..

    The problem that I have is not coming by the AD. It´s coming from Firewall Authentication that it´s dispatching on Default group

      

    Regards

  • Hi  

    Did you added OUs or groups to the XG firewall or did you created groups manually in the XG firewall?

    Are you using AD integration with XG firewall?

    How you have created users and groups in the Sophos XG firewall?

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello,

    Sorry for the late response

    The user are coming from a RADIUS server and they are replicate to a default group "Local Group" by default.

    The problem to use the Radius Server is that all the users replicate in the same group and is not replicate all groups as in AD.

    Regards

  • On the menu Configure > Authentication > Services > Firewall authentication methods, you can only select one user group as a Default group.

    I have multiple Radius servers and multiple user groups. I need to associate each Radius server users to one user group. Right now I can only associate every Radius server to only one user group.

  • The point is, XG uses every sign in of any user against XG (any sort of auth) to evaluate the authentication and all groups. 

    So if you change something on the GUI, it will be overwritten by XG, because the Backend does not reflect your change.

     

    The good part is, the primary group is not the the only group, you can use for firewalling.

    XG "knows" all groups getting back by the AD/Radius. Therefore, even if the group looks empty on XG, it will still uses this group for Firewalling. 

    __________________________________________________________________________________________________________________

  • LuCar Toni Thanks for your reply!

    So what I´m understanding in all of this is that I just can used this default group "Open group", because as you said XG it will be overwritten all the my changes when the user authenticate.

    The think is that we want to have the same structure as we have with AD. (Using the groups for firewalling). But using the Firewall Aunthentication Methods for the RADIUS everyone goes to the same default Group, and obviously I cant moved from the default group because comes to the default all the time.

    Any suggest? 

    Regards.

     

     

  • Let me rephrase my point:

    There are different mechanism, which uses the called Primary Group. Examples: Email Digest, Hotspot, VPN etc. (Basically everything attached to the Group configuration, if you open a Group).

    Other mechanism like Firewall and Proxy can use all groups, attached to one user. 

     

    If you authenticate a user, lets call him Bob. XG will ask the AD or Radius (which comes first), which groups Bob is. If AD/Radius tells XG, he is in HR, Users and Admin, XG will try to match those results against the imported Groups. Lets say, only Users and Admin is imported. XG will ignore HR and match the first match in Groups to this user. If the user now uses the Internet, XG still knows, the user is in admin and user, even if the group admin is empty. So if bob access SSH to a server and you allow to access SSH for the group admin, it will be allowed. 

    The Default group on the bottom is simply a group for XG, if the result coming form AD/radius does not match any imported groups. Seems like your Radius is doing that. It does not give XG and result, XG can match against anything, therefore the user will be thrown into the Default group. 

    __________________________________________________________________________________________________________________

  • Thank you LuCar Toni. I really appreciate it!

    Then I have already found what is my problem:
    When I import from Active Directory directly, it replicates in XG the groups and the user with the domain "user@domain".
    When I import from RADIUS it replicates the user without a group and the user without domain. "user"

    So the XG recognise as a different user as it does not have the associated domain.
    And obviously goes to the default group.

    Any of you had same problem or knowledge in how can I solved this?

    Thanks in advance!
  • Difficult, because how should XG interpret those user to be the same. 

    XG uses the Domain as UPN. Maybe you can setup your Radius to use UPN instead of SAMAccountname only? 

    Or you import the groups into Radius and use two different users. 

     

    Why do you use Radius and AD anyways at the same time? 

    __________________________________________________________________________________________________________________

  • Hello,

    We used AD for the user that connect from the Office, and we use RADIUS Server for double authentication TOKEN that they connect from VPNSSL connection

  • Hi  

    You may give a try with below, may be this will help you to fix this issue.

    The solution to this issue is to ensure all usernames are created as just “username” rather than “username@domain”.So it will work with either RADIUS or LDAP (AD) authentication.

    At the moment there is no automated way to do this, you may give a try by using an utility to sync users from an AD group to an XG Firewall:

    https://community.sophos.com/products/xg-firewall/f/recommended-reads/119313/sophos-connect-syncing-ad-user-groups

    By default vpnsync will use the upn (user@domain) for the XG username. However, on using RADIUS based MFA, un-comment the line "type: name".
        #type: upn
        type: name

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply Children
No Data