This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duo Integration with Sophos XG for 2FA

Hello,

I have integrated Cisco Duo with Sophos XG (running firmware 18.01), but have issues with SSL VPN. My AD is my Primary authentication method, while Duo is my second factor authentication. When I test connection, all works well.

I have changed the SSL authentication method to use Duo first, when I try to VPN, I do receive a PUSH which I approve, but still fails (wrong username or something like that). I see it on Duo as successful, but still would not work.

Has anyone done this integration recently on firmware 18 now that we can set timeout values.

Thanks.



This thread was automatically locked due to age.
  • Hello Tobi,

    Thank you for contacting the Sophos Community!

    IF you put an incorrect password on purpose and check the /log/access_server.log, what is the error?

    Also try enabling debugging for the access server log, to turn it off run the same command.

    # service access_server:debug -ds nosync

    If you test the user accessing the User Portal does it work?

    Can you confirm the user that is using DUO has a group assigned to it, as new accounts might be created by the Radius auth, if this is the case add the user to the SSL VPN group and have the user to re-download the config and try again.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • You need to specify DUO (Radius) for the User Portal as a Authentication service. 

    Then login via User portal (with DUO) and download the new SSLVPN Config. This config should work with DUO. 

    __________________________________________________________________________________________________________________

  • Hello Emmanuel,

    When I input the wrong password, can see it on the debug level. However, when I put Duo as the first authentication method in the user portal, I can do 2FA successfully to access the portal, but I can no longer see the SSL VPN tab in order to download the config. I see that tab only when I remove Duo from the authentication method.

    Please help.

  • When I put Duo as the first authentication method in the user portal, I can do 2FA successfully to access the portal, but I can no longer see the SSL VPN tab in order to download the config. I see that tab only when I remove Duo from the authentication method.

    I do not understand this behaviour.

  • Seems like your User is not part of the SSLVPN group. 

    As DUO uses Radius, the user of DUO needs to be part of a group, which is part of the SSLVPN config.

    You cannot use cross referenced AD + Radius.

    SSLVPN needs to use groups+users coming from radius. 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni,

    Thanks for the response. I think I am missing something, which I need clarification on. So what I have presently is XG Firewall integrated with AD, so users from AD can now use resources such as SSL VPN. What I want to add is a 2FA, so I have also integrated AD with Duo, so have all users on my AD exposed to my radius server.

    I am expecting Duo proxy server (which uses radius) to act as proxy for users when they try to connect, check if username and password matches that in the AD, if it does, issue a push or OTP to the user.

    All groups have been set up and presently

    get their feeds from the AD.

    You cannot use cross referenced AD + Radius

    If this method would not work, what is my alternative such that I can still leverage on AD and Radius at the same time.

    Thanks.

  • XG can do a authentication against a Radius OR a AD Server. So you get a username+password and XG and XG can forward this to a Radius OR AD to check, if this is a valid request. 

    If you use AD Server, there is no Integration of DUO what soever. 

    DUO and other systems offer a radius server. 

    If you setup a radius authentication, XG will create a new user. This new user originate from Radius, therefore the group membership is also from radius. 

    If you setup a SSLVPN, this user needs to be allowed via Radius. So the User or the group, COMING from radius, needs to be placed in SSLVPN. 

    I cannot explain in detail, how DUO work, but as far as i know, it can forward the AD Groups, itself gets from the AD server. 

    PS: The exact same mechanism is explained here: https://community.sophos.com/xg-firewall/f/recommended-reads/122575/sophos-xg-using-azure-mfa-for-ssl-vpn-and-user-portal

    Only for Azure MFA, which is basically the same service = Radius Server, which gives you a YES/NO. 

    __________________________________________________________________________________________________________________

  • I think the bit you are missing is that you need to setup a Network Policy Server (NPS). This is a Microsoft 'add feature' in Windows Server. It is a Radius server that provides the link between DUO (which works using Radius) and AD.

    When authenticating, DUO passes the request to the NPS which then verifies the credentials against AD

    The link Lucar has supplied is for Azure but basically the setup process is the same for on premises servers.

  • Actually, DUO is the NPS. 

    There is a DUO KB for UTM, which indicates the same mechanism.

    https://duo.com/docs/sophos-utm

    __________________________________________________________________________________________________________________

  • Checking the documentation, it appears you are quite correct.

    You can do it the way I suggested if you want, in which case Duo Authentication Proxy is just a proxy and NPS is the Radius server. The first article you link to (Azure MFA) uses NPS rather than LDAP.

    I had forgotten that  Duo Authentication Proxy can use LDAP. When we set it up some time ago, we were already using Radius via NPS for all our networking equipment and SSH logins so we just linked Duo Authentication Proxy in to that as the easiest implementation for our existing setup.