Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 3020 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS 19.5.3 Build 652 - AD Group members lost

Ingo Buyny

Hello,

i am quite new to the XGS Appliance, coming from the UTM.

We still facing a lot of problems since the migration, one of that is the user authentication for SSO.

The import of the users and the ad groups worked well and most of the useres are directly placed in the correct groups on the xgs.

But there are some users which i had to manually add to the correct group and some of these (not all!?) which i put manually in the right group are disappearing again and again and fall back to "Open Group"

I can add them back to the group but a day or some hours later, the users are gone again.

What is going on here? 



This thread was automatically locked due to age.
Parents
  • 0

    See User Authentication:  Sophos Firewall: Backend Group Membership in Sophos Firewall 

    Essentially if you add something manually, it will be override by the next authentication. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    ok, this is understandable.

    But then why doesn't it affect all users that I have manually added to groups?
    And why aren't the users pushed directly into the same AD groups that AD says they belong to?
    Or, better asked, how can I configure the synchronization so that all users are added to the correct groups so that I don't have to rework it manually?

  • 0 in reply to Ingo Buyny

    Like mentioned in my article: SFOS will do a first match principle of all groups and ask the AD Server for each login request. If a user logs in with whatever method, it will fetch the default group and backend groups.

    BTW: UTM never showed the groups at all.

    Check the backend memberships, sort your AD Groups properly in the group window and then the user should appear in the right groups. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Ingo Buyny

    Like mentioned in my article: SFOS will do a first match principle of all groups and ask the AD Server for each login request. If a user logs in with whatever method, it will fetch the default group and backend groups.

    BTW: UTM never showed the groups at all.

    Check the backend memberships, sort your AD Groups properly in the group window and then the user should appear in the right groups. 

    __________________________________________________________________________________________________________________

Children
Unfiltered HTML