Sophos XG does not recognize user group returned by NPS RADIUS server

Question

Hello everyone, 
 I have issue with Sophos XG firewall running SFOS 19.5.4 MR-4-Build718 configured for authentication via RADIUS server running on Windows Server (NPS service) with Azure MFA extension. We use it for MFA for VPN users. It works fine except recognition of user group membership returned in Filter-Id field by NPS server. I have checked with Wireshark that NPS service returns Filter-Id field containing correct user group. However, Sophos XG accept response from NPS server and user get authenticated but user group is not recognized and user falls into Open Group only. Note that I have configured Filter-Id as Group member attribute in Sophos XG definition for RADIUS server. In addition, have checked debug access_server.log on Sophos XG firewall and found following:

Alok · Accepted Answer

In v20MR1 we have fixed one Radius group membership issue listed below:

NC-127830

Authentication

RADIUS users who aren't part of VPN group are able to connect to SSL VPN.

Prior to this fix : In scenario where user is part of multiple groups and all groups are available in SFOS too. User group will be mapped to &ldquo;Group and Other group memberships&rdquo;. 
 Now in case all the groups are removed from this user on Radius, in this case user&rsquo;s &ldquo;Group&rdquo; value use to retain and hence user was able to access resources as per last group policy. 
 Fix in v20MR1 is to resolve this issue: 
 
 Radius server should respond with a list of Groups via any defined attribute e.g. Filter-ID. 
 SFOS Radius server should have the same attribute set for &ldquo; Group name attribute &rdquo;. 
 Group should pre-exists in firewall to map user correctly in those groups. 
 In case group is not available in firewall user will fall in default group configured. 
 
 Please take a look at authentication server log if correct group value is returning from Radius server against attribute configured in SFOS server for &ldquo; Group name attribute &rdquo;. 
 We are investigating few customer deployments, who have reported issue to support post migration. We will post update in case we found any new issue during the investigation. 
 Suggestion is to reach out to support in case you are encountering issue post migration despite group attribute is provided by Radius server under configured value and same group exists in SFOS groups list. 
 -Alok

dirkkotte · Answer

Hi all, 
 has this ever worked before?

Alok · Answer

Thanks for your time over remote session and support. As we are unable to replicate the issue, not sure why it's stopped working with Filter-ID. For anyone if it&rsquo;s not working, you can check following before making any changes. 
 
 Enable Debug via CLI: console> system diagnostics subsystems Access-Server debug on 
 Attempt for user login 
 Disable Debug via CLI: console> system diagnostics subsystems Access-Server debug o ff 
 Search for &ldquo; GroupName Attribute &rdquo;: grep "GroupName Attribute" -B 1 -A 1 access_server.log 
 
 DEBUG Sep 09 08:38:54.382930Z [RADIUS_AUTH]: (cb_authenticate_user): Authentication OK for User: ' test' DEBUG Sep 09 08:38:54.382944Z [RADIUS_AUTH]: (cb_authenticate_user): GroupName Attribute 'Class' : ' Group1' DEBUG Sep 09 08:38:54.382950Z [RADIUS_AUTH]: (cb_authenticate_user): GroupName Attribute 'Class' : ' Group2' DEBUG Sep 09 08:38:54.382954Z [RADIUS_AUTH]: (radiusauth_authenticate_user_finish): RADIUS_AUTH: User Authenticated with Server: '172.17.0.51:1812' 
 -- 
 DEBUG Sep 09 08:42:12.967097Z [RADIUS_AUTH]: (cb_authenticate_user): Authentication OK for User: ' demo' DEBUG Sep 09 08:42:12.967107Z [RADIUS_AUTH]: (cb_authenticate_user): GroupName Attribute 'Filter-Id' : ' Group3' DEBUG Sep 09 08:42:12.967114Z [RADIUS_AUTH]: (radiusauth_authenticate_user_finish): RADIUS_AUTH: User Authenticated with Server: '172.17.0.51:1812' 
 5. Group info should match with Actual group available in SFOS UI. As above value is something returned from RADIUS server. 6. If "GroupName Attribute" value is empty need to check in PCAP, if server is sending value properly in response.

Sophos XG does not recognize user group returned by NPS RADIUS server

Top Replies