Hello, I am still relatively new with Sophos products. I've got a Radius server set up to authenticate users to the admin interface, but it's not working. I've reviewed the documentation several times and am unable to determine what I'm missing. I feel like there's one piece that I haven't enabled, yet I cannot find it. This is on a Sophos XGS116 running SFOS 19.5.3 MR-3 Build 652. I went to Authentication -> Servers and Added a new authentication server - type RADIUS Provided a name IP address Authentication port (1812) Timeout is set to 3 seconds Accounting is not enabled Shared secret specified Domain Name is blank - this Radius server is not IAS and is not configured with Active Directory - it's a Steel Belted Radius server that's using a local database Group Name Attribute is set to "Filter-Id" (without the double quotes) When I select Test connection, I see "Device-RADIUS server connectivity test was successful" Next, I went to Authentication -> Services Under Administrator Authentication Methods, I have both Local and the Radius server selected Dragged and dropped the order of the auth servers such that the Radius server is first in the list I attempted to log in with the same credentials I used when testing the connection. I ran a policy trace on the Radius server and can see the Access Request from the Sophos appliance, along with an Access Accept and I can see the value I have set for "Filter-ID" sent back as part of the Access-Accept message. Can someone please advise? Thanks in advance!

Hi CF1 Tech , Let me explain current behaviour of XG with external Authentication server. This will help you co-relate things in your setup and fix it. XG doesn't support Administrative user creation on the fly after authenticated via external Auth server. (except Azure AD SSO) Webadmin need administrative user permission to access it. Here no need to create local user manually. You can login userportal with same radius user so user copy created automatically in local database after successful login. Go to XG (Authentication->Users), Promote this user to administrative and select profile whatever you want and save it. Now onwards, this user have administrative permission so user can access Webadmin Portal.

Radius Authentication to Admin Interface Fails Despite Valid Test

CF1 Tech 25 days ago

Hello,

I am still relatively new with Sophos products. I've got a Radius server set up to authenticate users to the admin interface, but it's not working. I've reviewed the documentation several times and am unable to determine what I'm missing. I feel like there's one piece that I haven't enabled, yet I cannot find it.

This is on a Sophos XGS116 running SFOS 19.5.3 MR-3 Build 652.

I went to Authentication -> Servers and

Added a new authentication server - type RADIUS
Provided a name
IP address
Authentication port (1812)
Timeout is set to 3 seconds
Accounting is not enabled
Shared secret specified
Domain Name is blank - this Radius server is not IAS and is not configured with Active Directory - it's a Steel Belted Radius server that's using a local database
Group Name Attribute is set to "Filter-Id" (without the double quotes)

When I select Test connection, I see "Device-RADIUS server connectivity test was successful"

Next, I went to Authentication -> Services

Under Administrator Authentication Methods, I have both Local and the Radius server selected
Dragged and dropped the order of the auth servers such that the Radius server is first in the list

I attempted to log in with the same credentials I used when testing the connection.

I ran a policy trace on the Radius server and can see the Access Request from the Sophos appliance, along with an Access Accept and I can see the value I have set for "Filter-ID" sent back as part of the Access-Accept message.

Can someone please advise?

Thanks in advance!

Added V19.5 MR3 TAG
[edited by: Erick Jan at 7:31 AM (GMT -7) on 2 Oct 2023]

Top Replies

Bhavik24 20 days ago in reply to CF1 Tech +2 verified

Hi CF1 Tech , Let me explain current behaviour of XG with external Authentication server. This will help you co-relate things in your setup and fix it. XG doesn't support Administrative user creation on…

Parents

0 Vivek Jagad 25 days ago
Hello CF1 Tech ,

Thank you for reaching out to the community, Please refer the useful recommended reads for the Radius authentication:

Sophos Central: Wireless and RADIUS authentication

https://support.sophos.com/support/s/article/KB-000036142?language=en_US

Sophos Firewall: Configure RADIUS for Enterprise Wireless Authentication with Windows Server 2012

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/127783/sophos-firewall-configure-radius-for-enterprise-wireless-authentication-with-windows-server-2012

Sophos Firewall: Wireless and Radius authentication on Windows Server 2016

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122559/sophos-firewall-wireless-and-radius-authentication-on-windows-server-2016

Sophos Firewall: Configure SSO for APX Wi-Fi users authenticated via Radius server

https://support.sophos.com/support/s/article/KB-000038858?language=en_US

How to configure Wireless Radius server authentication on Sophos XG Firewall

How to configure Wireless Radius server authentication on Sophos XG Firewall
Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 CF1 Tech 25 days ago in reply to Vivek Jagad

Yes - those are the same guides I already referred to. I wouldn't have posted if I didn't review the documentation first. I know better. :-)

Also - tje links you provided is for setting up Wireless authentication via Radius. I am trying to set up web admin authentication via Radius.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vivek Jagad 23 days ago in reply to CF1 Tech

Hey CF1 Tech ,

Thank you for the update, are you trying to login via default admin or you have created Profile Management for Device Access in Sophos Firewall ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 CF1 Tech 22 days ago in reply to Vivek Jagad

Hello,

Thanks for your response.

I went to System -> Profiles -> Device Access

I created a new Device Access profile called firewall_admins and provided read/write access to all settings.

I do not see anywhere to assign the Device Access Profile to a group - it appears that I can only assign a Device Access Profile to an individual user account.

I tried creating a user account under Authentication -> Users with the same username that I use to authenticate via Radius, set the type as an Administrator, then assigned the Device Access Profile to the user. I made sure I set a different password from the password that Bob uses to authenticate against the Radius server.

I was indeed able to log into the admin interface as username 'bob' with the Radius password.

Would I need to create a user account for each user that authenticates via Radius?

The behavior I'm seeing implies that I have to create a user for each user authenticated via Radius which would defeat the purpose of having a centralized authentication store.

My hope is to assign the Device Access Profile based on the value of the Filter-Id attribute set on the Radius server. Frankly, I don't care which attribute I need to use - just so long as it's possible. I have a lot of flexibility in the attribute/value pairs I can configure.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vivek Jagad 22 days ago in reply to CF1 Tech

Yes an indivdiual user along with the profile to allow certain users to access certain modules, which you can control from to device access profile.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 CF1 Tech 20 days ago in reply to Vivek Jagad

I opened a support case on this and confirmed that a local account needs to be created for each RADIUS user that you want to make an administrator. Had this firewall been considered for production use, this would be a blocker to implementing it.

The entire point of using a RADIUS (or LDAP) server for centralized authentication is to prevent the need to create local accounts - even for administrators.

The Sophos appliance I've been working on is in an interoperability lab with firewalls from multiple vendors - Juniper, Palo Alto Networks, Fortinet, Watchguard, Cisco....

Sophos is the ONLY firewall that requires a local account to be defined for administrative access when using a RADIUS server.

Every other firewall in this lab allows for assigning an administrative role based on a Radius attribute (i.e. Filter-Id = XXXXX where XXXXX is the administrative role name).

There are well over 100 users that need to be able to access the different firewalls in this lab. Employees come and go - having to periodically maintain local accounts is not something that should ever be needed.

I hope Sophos product management is able to incorporate this into a future release.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Bhavik24 20 days ago in reply to CF1 Tech

Hi CF1 Tech ,

Let me explain current behaviour of XG with external Authentication server. This will help you co-relate things in your setup and fix it.

XG doesn't support Administrative user creation on the fly after authenticated via external Auth server. (except Azure AD SSO)
Webadmin need administrative user permission to access it.

Here no need to create local user manually.
You can login userportal with same radius user so user copy created automatically in local database after successful login.
Go to XG (Authentication->Users), Promote this user to administrative and select profile whatever you want and save it.
Now onwards, this user have administrative permission so user can access Webadmin Portal.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Reply

+1 Bhavik24 20 days ago in reply to CF1 Tech

Hi CF1 Tech ,

Let me explain current behaviour of XG with external Authentication server. This will help you co-relate things in your setup and fix it.

XG doesn't support Administrative user creation on the fly after authenticated via external Auth server. (except Azure AD SSO)
Webadmin need administrative user permission to access it.

Here no need to create local user manually.
You can login userportal with same radius user so user copy created automatically in local database after successful login.
Go to XG (Authentication->Users), Promote this user to administrative and select profile whatever you want and save it.
Now onwards, this user have administrative permission so user can access Webadmin Portal.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Children

No Data