Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG does not recognize user group returned by NPS RADIUS server

Hello everyone,

I have issue with Sophos XG firewall running SFOS 19.5.4 MR-4-Build718 configured for authentication via RADIUS server running on Windows Server (NPS service) with Azure MFA extension. We use it for MFA for VPN users. It works fine except recognition of user group membership returned in Filter-Id field by NPS server. I have checked with Wireshark that NPS service returns Filter-Id field containing correct user group. However, Sophos XG accept response from NPS server and user get authenticated but user group is not recognized and user falls into Open Group only. Note that I have configured Filter-Id as Group member attribute in Sophos XG definition for RADIUS server. In addition, have checked debug access_server.log on Sophos XG firewall and found following:



This thread was automatically locked due to age.
Parents
  • We also have the same problem with the current version SFOS 20.0.2 MR-2-Build378.

    RADIUS authentication works without any problems - however, the group memberships are not transferred.

    As a temporary workaround, we change the “default group” under Authentication > Services to a VPN-active group so that the users can at least establish a connection.

  • Hi all,

    has this ever worked before?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Dirk,

    yes it is. I have configured it about two years ago. Then I realized that it is not working any more. Since second authentication server is local AD, my users were able to login and have most of access due to rules configuration. However, they are recognized as users coming from local AD and not from RADIUS. But I can still see some users last time logged in long time ago via RADIUS with group membership at the time of last login so I can confirm that it worked.

  • So, how SFOS works here in most deployments: You can add to the Radius Server the used Domain. 
    When you do this, SFOS is merging the information from AD and Radius to one object. Meaning, you authenticate with a user called "test" via AD: It will generate test@domain.com as an UPN. 

    If you authenticate via Radius this user test, SFOS will add the domain "domain.com" and merge both objects together.

    Did you do this? See: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/RADIUS/AuthenticationRADIUSServerAdd/index.html 

    __________________________________________________________________________________________________________________

  • Hello LuCar Toni,

    I just explained how it happen that we did not realize that RADIUS authentication is not working for some longer time. In our setup RADIUS authentication is let's say main authentication method. We have recently restricted local AD authentication for just few users as a fall back mechanism. We are doing so since we want to increase security and force users to use O365 integrated MFA authentication in Sophos VPN client. So you may consider that local AD authentication does not exist. If I remove it and leave RADIUS only it will behaves as I have explained above. Regarding your question about RADIUS configuration it is correctly configured:

    Domain name is correct and it is same as UPN for our O365 users.

Reply
  • Hello LuCar Toni,

    I just explained how it happen that we did not realize that RADIUS authentication is not working for some longer time. In our setup RADIUS authentication is let's say main authentication method. We have recently restricted local AD authentication for just few users as a fall back mechanism. We are doing so since we want to increase security and force users to use O365 integrated MFA authentication in Sophos VPN client. So you may consider that local AD authentication does not exist. If I remove it and leave RADIUS only it will behaves as I have explained above. Regarding your question about RADIUS configuration it is correctly configured:

    Domain name is correct and it is same as UPN for our O365 users.

Children
  • Can confirm the same behavior. I configured it exactly as in your screenshot above, defined the Filter-Id in the RADIUS-Default Attributes of my Windows NPS Server. When I log in with my RADIUS user, it can authenticate successfully but the user is still in the default "guest group".Thinking

  • Does the user has other group memberships in the UI and do you have two different users (Radius and a AD user) ? 

    Just for transparency: There is a ongoing situation with NPS and Radius: https://support.sophos.com/support/s/article/KBA-000009901?language=en_US 

    __________________________________________________________________________________________________________________

  • My group "WLANVPN" that I use for RADIUS is created on the firewall and the RADIUS and the "Filter-Id" Attribute which I use for the group name attribute is set to "WLANVPN" too on the RADIUS server. The group is sorted over all groups in the sophos group order menu. The users are the same, so the user "marcel" on sophos firewall was authentificated successfully with RADIUS. So the auth works, but the group membership of "WLANVPN" is not transferred. In my shell access log I can see the same behavior like Haris.

       I have not problems with authenticating users with RADIUS. But with group assignment.