Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 2407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Username change

Sophos User3614

Good morning,

I'm relatively new when it comes to XG firewalls and have a simple question.

We currently have AD setup to sync to our firewall for IPSEC VPN authentication.  Recently, a user had their name changed, to which we updated in active directory.  It's been about a week and the change hasn't been reflected on the firewall.   I can see the old username, and the user can authenticate just fine, so getting connected currently isn't critical, but I'm more curious why changing a name in AD doesn't sync with the firewall?  Or, is there a way to manually force a sync with the AD?  

I've ran through the AD import wizard which imports the groups from AD to the XG, but that didn't seem to do anything either.   

Which leads me to a much larger question.  Currently, when a new user is created in AD, that new user syncs over to the XG with no issue, but we have to manually grant VPN access to the user.  With our previous firewall, we had an IPSEC VPN security group in AD which synced over to the firewall.  If the user was a member of that group, they were granted access to connect.  Is there a method to accomplish the same thing?  Ideally, I'd like to just have the same security group handle VPN access on the XG, but all my tests fail.  The group is present in the XG, but new users added to the group in AD fail to show in the XG group membership.  

I hope all this makes sense.  THanks for anyone who may help.



This thread was automatically locked due to age.
  • 0

    The issue is: You changed UPN, likely not the SAMAccountname.

    SFOS works with the SAMAccountname, which is basically the prefix of the UPN. UPN (looks like a email address), is name@domain.com If you create a user, everything is setup by the AD. If you change the name (what exactly did you change in AD?), it could properly not the correct value to be reflected in SFOS. 

    You need to change the SAMAccountname, which will lead to a new user creation. SFOS will not replace this user, instead this looks like a completely new user. 

    BTW: AD Backend Sync for backend groups does not work for IPsec, only SSLVPN, firewall and Proxy. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you so much for the information!  Very helpful!

    The user got married and therefore we changed her name in AD, which included updating her SAMAccountname, email address, AD username, etc...  I ended up deleting the old user from the SFOS and within about 10 minutes the new user synced, so we're all good there.

    Seeing that AD sync for backend groups doesn't work with IPSec, do you have any recommendations for streamlining IPSec VPN access?  Currently, with each user created, we go into the user account on the Sophos XG and click the  "Enable IPSec remote access" radio button.  

  • 0 in reply to Sophos User3614

    You can actually grant every user access via IPsec (select "AD User Group" or your primary group) and specific the access later via Firewall rule set. 

    Create a rule with your matching groups and use it in firewall, which works perfectly fine. 

    __________________________________________________________________________________________________________________

  • 0

    When the user is created, the XG requests a bunch of info from the AD server including the user name.  The XG then creates a user object under Authentication \ Users.

    Users have underlying AD ids.  It might be that we never re-synchronize or update the username in the user object, relying on the underlying id.

    You can go to the User object and manually rename them.  You could also delete the user object, and when the user authenticates again a new object will be created with the latest name.  Note that you would need to re-add them to policies such as VPN access.

Unfiltered HTML