Duo Integration with Sophos XG for 2FA

Question

Hello, 
 I have integrated Cisco Duo with Sophos XG (running firmware 18.01), but have issues with SSL VPN. My AD is my Primary authentication method, while Duo is my second factor authentication. When I test connection, all works well. 
 I have changed the SSL authentication method to use Duo first, when I try to VPN, I do receive a PUSH which I approve, but still fails (wrong username or something like that). I see it on Duo as successful, but still would not work. 
 Has anyone done this integration recently on firmware 18 now that we can set timeout values. 
 
 Thanks.

LuCar Toni · Accepted Answer

XG can do a authentication against a Radius OR a AD Server. So you get a username+password and XG and XG can forward this to a Radius OR AD to check, if this is a valid request. 
 If you use AD Server, there is no Integration of DUO what soever. 
 DUO and other systems offer a radius server. 
 If you setup a radius authentication, XG will create a new user. This new user originate from Radius, therefore the group membership is also from radius. 
 If you setup a SSLVPN, this user needs to be allowed via Radius. So the User or the group, COMING from radius, needs to be placed in SSLVPN. 
 I cannot explain in detail, how DUO work, but as far as i know, it can forward the AD Groups, itself gets from the AD server. 
 
 PS: The exact same mechanism is explained here: https://community.sophos.com/xg-firewall/f/recommended-reads/122575/sophos-xg-using-azure-mfa-for-ssl-vpn-and-user-portal 
 Only for Azure MFA, which is basically the same service = Radius Server, which gives you a YES/NO.

LuCar Toni · Answer

You need to specify DUO (Radius) for the User Portal as a Authentication service. 
 Then login via User portal (with DUO) and download the new SSLVPN Config. This config should work with DUO.

Bart van der Horst · Answer

Hi, 
 I've had that problem to, its solvable. 
 First Duo Authentication Proxy = Radius server and AD Client, so al your AD request could go through Duo AP. You don't need NPS or a AD server in the firewall. Groups are something more difficult, this because Duo AP does not do groups. And the groups from the AD are not respected. Basically you need to choose. 
 When you choose Duo AP, then under groups, make your VPN Users group and give the group policy access to vpn. In Authentications -> Services Under Firewall Authentication you can set a default group, make this your new VPN users group. 
 
 Now if an unknow or new user to the firewall logs on, they will be placed in that group, and vpn access is possible, it then goes through the proxy and ad to sign the user on. 
 This has a disadvantage, all user trying to logon will be placed in this group. But authentication based on AD groups can be managed in the Dou Admin portal, if you have the paid option. 
 Option 2: you can add this line to [ad_client] section of your Dou PA config file: security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com of course correcting it to the vpn user group in the AD, this wil solve the lack of groups sync in the Radius/Duo setup. 
 As LuCar Toni sad, you can not mix Radius Authentication and AD Groups, they have different paths to the same data, but will be treated ad different sources.

JasP · Answer

I've just posted worked examples of 3 ways to setup XG 18 with DUO 2FA - https://community.sophos.com/xg-firewall/f/discussions/124501/3-ways-to-setup-xg-18-with-duo-2fa

Duo Integration with Sophos XG for 2FA

Top Replies