Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG does not recognize user group returned by NPS RADIUS server

Hello everyone,

I have issue with Sophos XG firewall running SFOS 19.5.4 MR-4-Build718 configured for authentication via RADIUS server running on Windows Server (NPS service) with Azure MFA extension. We use it for MFA for VPN users. It works fine except recognition of user group membership returned in Filter-Id field by NPS server. I have checked with Wireshark that NPS service returns Filter-Id field containing correct user group. However, Sophos XG accept response from NPS server and user get authenticated but user group is not recognized and user falls into Open Group only. Note that I have configured Filter-Id as Group member attribute in Sophos XG definition for RADIUS server. In addition, have checked debug access_server.log on Sophos XG firewall and found following:



Added TAGs
[edited by: Erick Jan at 12:38 PM (GMT -7) on 26 Aug 2024]
Parents Reply
  • Hello LuCar Toni,

    I just explained how it happen that we did not realize that RADIUS authentication is not working for some longer time. In our setup RADIUS authentication is let's say main authentication method. We have recently restricted local AD authentication for just few users as a fall back mechanism. We are doing so since we want to increase security and force users to use O365 integrated MFA authentication in Sophos VPN client. So you may consider that local AD authentication does not exist. If I remove it and leave RADIUS only it will behaves as I have explained above. Regarding your question about RADIUS configuration it is correctly configured:

    Domain name is correct and it is same as UPN for our O365 users.

Children