Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 41 subscribers
  • Views 5271 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius Authentication to Admin Interface Fails Despite Valid Test

CF1 Tech

Hello,

I am still relatively new with Sophos products. I've got a Radius server set up to authenticate users to the admin interface, but it's not working. I've reviewed the documentation several times and am unable to determine what I'm missing. I feel like there's one piece that I haven't enabled, yet I cannot find it.

This is on a Sophos XGS116 running SFOS 19.5.3 MR-3 Build 652.

I went to Authentication -> Servers and

  1. Added a new authentication server - type RADIUS
  2. Provided a name
  3. IP address
  4. Authentication port (1812)
  5. Timeout is set to 3 seconds
  6. Accounting is not enabled
  7. Shared secret specified
  8. Domain Name is blank - this Radius server is not IAS and is not configured with Active Directory - it's a Steel Belted Radius server that's using a local database
  9. Group Name Attribute is set to "Filter-Id" (without the double quotes)

When I select Test connection, I see "Device-RADIUS server connectivity test was successful"

Next, I went to Authentication -> Services

Under Administrator Authentication Methods, I have both Local and the Radius server selected
Dragged and dropped the order of the auth servers such that the Radius server is first in the list

I attempted to log in with the same credentials I used when testing the connection.

I ran a policy trace on the Radius server and can see the Access Request from the Sophos appliance, along with an Access Accept and I can see the value I have set for "Filter-ID" sent back as part of the Access-Accept message.

Can someone please advise?

Thanks in advance!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vivek Jagad

    Yes - those are the same guides I already referred to. I wouldn't have posted if I didn't review the documentation first. I know better. :-)

    Also - tje links you provided is for setting up Wireless authentication via Radius. I am trying to set up web admin authentication via Radius.

  • 0 in reply to CF1 Tech

    Hey  , 

    Thank you for the update, are you trying to login via default admin or you have created Profile Management for Device Access in Sophos Firewall ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello,

    Thanks for your response.

    I went to System -> Profiles -> Device Access

    I created a new Device Access profile called firewall_admins and provided read/write access to all settings.

    I do not see anywhere to assign the Device Access Profile to a group - it appears that I can only assign a Device Access Profile to an individual user account.

    I tried creating a user account under Authentication -> Users with the same username that I use to authenticate via Radius, set the type as an Administrator, then assigned the Device Access Profile to the user. I made sure I set a different password from the password that Bob uses to authenticate against the Radius server.

    I was indeed able to log into the admin interface as username 'bob' with the Radius password.

    Would I need to create a user account for each user that authenticates via Radius?

    The behavior I'm seeing implies that I have to create a user for each user authenticated via Radius which would defeat the purpose of having a centralized authentication store.

    My hope is to assign the Device Access Profile based on the value of the Filter-Id attribute set on the Radius server. Frankly, I don't care which attribute I need to use - just so long as it's possible. I have a lot of flexibility in the attribute/value pairs I can configure. 

  • 0 in reply to CF1 Tech

    Yes an indivdiual user along with the profile to allow certain users to access certain modules, which you can control from to device access profile. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    I opened a support case on this and confirmed that a local account needs to be created for each RADIUS user that you want to make an administrator. Had this firewall been considered for production use, this would be a blocker to implementing it.

    The entire point of using a RADIUS (or LDAP) server for centralized authentication is to prevent the need to create local accounts - even for administrators.

    The Sophos appliance I've been working on is in an interoperability lab with firewalls from multiple vendors - Juniper, Palo Alto Networks, Fortinet, Watchguard, Cisco....

    Sophos is the ONLY firewall that requires a local account to be defined for administrative access when using a RADIUS server.

    Every other firewall in this lab allows for assigning an administrative role based on a Radius attribute (i.e. Filter-Id = XXXXX where XXXXX is the administrative role name).

    There are well over 100 users that need to be able to access the different firewalls in this lab. Employees come and go - having to periodically maintain local accounts is not something that should ever be needed.

    I hope Sophos product management is able to incorporate this into a future release.

  • +1 in reply to CF1 Tech

    Hi  ,

    Let me explain current behaviour of XG with external Authentication server. This will help you co-relate things in your setup and fix it.

    XG doesn't support Administrative user creation on the fly after authenticated via external Auth server. (except Azure AD SSO)
    Webadmin need administrative user permission to access it.

    Here no need to create local user manually.
    You can login userportal with same radius user so user copy created automatically in local database after successful login.
    Go to XG (Authentication->Users), Promote this user to administrative and select profile whatever you want and save it.
    Now onwards, this user have administrative permission so user can access Webadmin Portal.



Unfiltered HTML