Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG does not recognize user group returned by NPS RADIUS server

Hello everyone,

I have issue with Sophos XG firewall running SFOS 19.5.4 MR-4-Build718 configured for authentication via RADIUS server running on Windows Server (NPS service) with Azure MFA extension. We use it for MFA for VPN users. It works fine except recognition of user group membership returned in Filter-Id field by NPS server. I have checked with Wireshark that NPS service returns Filter-Id field containing correct user group. However, Sophos XG accept response from NPS server and user get authenticated but user group is not recognized and user falls into Open Group only. Note that I have configured Filter-Id as Group member attribute in Sophos XG definition for RADIUS server. In addition, have checked debug access_server.log on Sophos XG firewall and found following:



Added TAGs
[edited by: Erick Jan at 12:38 PM (GMT -7) on 26 Aug 2024]
Parents
  • Maybe anyone which setup is working? I tried it with "Filter-Id" in Standard RADIUS attributes with my group name inside (on NPS) Then I wrote "Filter-Id" and after a failure "<my groupname>" in die RADIUS group name attribute on XG but nothing works. The user stays in die Default group after logging in to the userportal. The group is created on XG and is sorted to the top. Anyone?!

    The docs are not a help and after hours of Gooooogling I could not found anything.

  • In v20MR1 we have fixed one Radius group membership issue listed below: 

    NC-127830

    Authentication

    RADIUS users who aren't part of VPN group are able to connect to SSL VPN.


    Prior to this fix
    :
    In scenario where user is part of  multiple groups and all groups are available in SFOS too. User group will be mapped to “Group and Other group memberships”.

    Now in case all the groups are removed from this user on Radius, in this case user’s “Group” value use to retain and hence user was able to access resources as per last group policy.

    Fix in v20MR1 is to resolve this issue:

    • Radius server should respond with a list of Groups via any defined attribute e.g. Filter-ID.
    • SFOS Radius server should have the same attribute set for “Group name attribute”.
    • Group should pre-exists in firewall to map user correctly in those groups.
    • In case group is not available in firewall user will fall in default group configured.

    Please take a look at authentication server log if correct group value is returning from Radius server against attribute configured in SFOS server for “Group name attribute”.

    We are investigating few customer deployments, who have reported issue to support post migration. We will post update in case we found any new issue during the investigation.


    Suggestion is to reach out to support in case you are encountering issue post migration despite group attribute is provided by Radius server under configured value and same group exists in SFOS groups list.  

     -Alok

Reply
  • In v20MR1 we have fixed one Radius group membership issue listed below: 

    NC-127830

    Authentication

    RADIUS users who aren't part of VPN group are able to connect to SSL VPN.


    Prior to this fix
    :
    In scenario where user is part of  multiple groups and all groups are available in SFOS too. User group will be mapped to “Group and Other group memberships”.

    Now in case all the groups are removed from this user on Radius, in this case user’s “Group” value use to retain and hence user was able to access resources as per last group policy.

    Fix in v20MR1 is to resolve this issue:

    • Radius server should respond with a list of Groups via any defined attribute e.g. Filter-ID.
    • SFOS Radius server should have the same attribute set for “Group name attribute”.
    • Group should pre-exists in firewall to map user correctly in those groups.
    • In case group is not available in firewall user will fall in default group configured.

    Please take a look at authentication server log if correct group value is returning from Radius server against attribute configured in SFOS server for “Group name attribute”.

    We are investigating few customer deployments, who have reported issue to support post migration. We will post update in case we found any new issue during the investigation.


    Suggestion is to reach out to support in case you are encountering issue post migration despite group attribute is provided by Radius server under configured value and same group exists in SFOS groups list.  

     -Alok

Children
  • Hello, can you share screenshots of exactly how this should look in both Radius side and Firewall side settings? We have a group on the Firewall call "Sophos_Web" that we want radius users to be mapped to. These users are members of this group in AD and when they get authenticated with AD, they correctly map to this group. When authenticated with Radius, they are being mapped to the "Open Group". In Radius settings, we have a windows conditions group called "VPN Access" that defines access to use VPN. We had Filter-ID set to "VPN Access" and same in Group name attribute, but it sounds like instead we need Filter-ID to be "Sophos_Web"

  • and btw, i tested this and it did not work