Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG does not recognize user group returned by NPS RADIUS server

Hello everyone,

I have issue with Sophos XG firewall running SFOS 19.5.4 MR-4-Build718 configured for authentication via RADIUS server running on Windows Server (NPS service) with Azure MFA extension. We use it for MFA for VPN users. It works fine except recognition of user group membership returned in Filter-Id field by NPS server. I have checked with Wireshark that NPS service returns Filter-Id field containing correct user group. However, Sophos XG accept response from NPS server and user get authenticated but user group is not recognized and user falls into Open Group only. Note that I have configured Filter-Id as Group member attribute in Sophos XG definition for RADIUS server. In addition, have checked debug access_server.log on Sophos XG firewall and found following:



Added TAGs
[edited by: Erick Jan at 12:38 PM (GMT -7) on 26 Aug 2024]
Parents
  • We have been having this same issue on v20.0.1 MR-1-Build342 since upgrading from an older v19 firmware. (Can't remember exactly what version of v19.) Our users are automatically put into the proper firewall group that was imported from Active Directory when they sign into the VPN portal, as that is the default sign-in method for the portal. However, when connecting via SSL VPN, which defaults to RADIUS, the user is always taken out of that group and placed into Open Group after authorization.

    I am comparing this to another firewall running v19.0.0 GA-Build317, and that keeps the groups correctly when using RADIUS authentication.

    The RADIUS server in the non-working deployment appears to be sending the right group name via Filter-Id.

Reply
  • We have been having this same issue on v20.0.1 MR-1-Build342 since upgrading from an older v19 firmware. (Can't remember exactly what version of v19.) Our users are automatically put into the proper firewall group that was imported from Active Directory when they sign into the VPN portal, as that is the default sign-in method for the portal. However, when connecting via SSL VPN, which defaults to RADIUS, the user is always taken out of that group and placed into Open Group after authorization.

    I am comparing this to another firewall running v19.0.0 GA-Build317, and that keeps the groups correctly when using RADIUS authentication.

    The RADIUS server in the non-working deployment appears to be sending the right group name via Filter-Id.

Children
No Data