Hi support,
I have a few questions on configure Active Directory authentication on my XGS.
I have followed the guide here:
Configure Active Directory authentication - Sophos Firewall
When I open the VPN portal, I cannot login using my AD user account?
If I add a new user in the AD, does it mean I have to import on the firewall all the time in order to use the VPN?
Isn't it setting the Primary authentication method to my_AD_Server is suppose to be able to authenticate with my AD already?
Hi TobLai
No, new added user on AD user group not to be imported all the time.When you add a new user on existing group on AD, you don't have to import the user as user "group" is already imported on Sophos…
Thank you for reaching out to the community, please verify you have check mark "User portal authentication methods" AD under CONFIGURE-->Authentication-->Services as below, you can drag and keep AD on TOP
Thanks and Regards
"Sophos Partner: Infrassist Technologies Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
Yes, it is marked as Set authentication methods same as firewall. In the login portal, do I have to type in the domain name at the front
Domain\TobLai or something?
Just on the other question:
No, new added user on AD user group not to be imported all the time.When you add a new user on existing group on AD, you don't have to import the user as user "group" is already imported on Sophos XG, user from same group will get syn on Sophos firewall and you can check by login the user on user portal or Captive Portal
When you say the group will sync, does it mean when I look at the users in the list, I will see all the AD users that is in the group that I imported?
If I am getting a lot of "Cannot establish NTLM authentication channel with Domain", how should I fix it?
As soon as you log in user/s, the user will start populating on the user list once the user group is imported on Sophos XG.
To check login user with Captive Portal Page
https://<Sophos IP>:8090
Regards
Please refer the below link to troubleshoot the issue with STAS :
https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125318/sophos-xg-firewall-best-practice-for-stas
Thanks Bharat J, good news, I managed to get AD user to login to portal.
The problem now I face is that is that the AD user is not able to ping the server when I log in to VPN. While the user created in the firewall can access and connect to server and ping any computers on the network.
Is there anything I am missing?
Please make sure you have LAN-VPN and VPN-LAN firewall rules and keep the same firewall rules on TOP to troubleshoot the issue if rules are already present.
Please go to System -->Administration --->Device access and enable Ping on VPN and LAN Zone. Also, make sure you have added AD Server or network you want to allow under Permitted network resources (IPv4) as per the snapshot :
I only have VPN to LAN firewall rules. Is that sufficient?
Hey TobLai,If you only want the VPN users to access the local LAN resources then it's fine. But if you want the LAN users or client machine to access resources over the VPN then you may want to create a LAN to VPN rule !!
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.