Sophos XG does not recognize user group returned by NPS RADIUS server

Maybe anyone which setup is working? I tried it with "Filter-Id" in Standard RADIUS attributes with my group name inside (on NPS) Then I wrote "Filter-Id" and after a failure "<my groupname>" in die RADIUS group name attribute on XG but nothing works. The user stays in die Default group after logging in to the userportal. The group is created on XG and is sorted to the top. Anyone?!

The docs are not a help and after hours of Gooooogling I could not found anything.

In v20MR1 we have fixed one Radius group membership issue listed below: 

Prior to this fix: In scenario where user is part of  multiple groups and all groups are available in SFOS too. User group will be mapped to “Group and Other group memberships”.

Now in case all the groups are removed from this user on Radius, in this case user’s “Group” value use to retain and hence user was able to access resources as per last group policy.

Fix in v20MR1 is to resolve this issue:

• Radius server should respond with a list of Groups via any defined attribute e.g. Filter-ID.
• SFOS Radius server should have the same attribute set for “Group name attribute”.
• Group should pre-exists in firewall to map user correctly in those groups.
• In case group is not available in firewall user will fall in default group configured.

Please take a look at authentication server log if correct group value is returning from Radius server against attribute configured in SFOS server for “Group name attribute”.

We are investigating few customer deployments, who have reported issue to support post migration. We will post update in case we found any new issue during the investigation.

Suggestion is to reach out to support in case you are encountering issue post migration despite group attribute is provided by Radius server under configured value and same group exists in SFOS groups list.  

 -Alok

In v20MR1 we have fixed one Radius group membership issue listed below: 

Prior to this fix: In scenario where user is part of  multiple groups and all groups are available in SFOS too. User group will be mapped to “Group and Other group memberships”.

Now in case all the groups are removed from this user on Radius, in this case user’s “Group” value use to retain and hence user was able to access resources as per last group policy.

Fix in v20MR1 is to resolve this issue:

• Radius server should respond with a list of Groups via any defined attribute e.g. Filter-ID.
• SFOS Radius server should have the same attribute set for “Group name attribute”.
• Group should pre-exists in firewall to map user correctly in those groups.
• In case group is not available in firewall user will fall in default group configured.

Please take a look at authentication server log if correct group value is returning from Radius server against attribute configured in SFOS server for “Group name attribute”.

We are investigating few customer deployments, who have reported issue to support post migration. We will post update in case we found any new issue during the investigation.

Suggestion is to reach out to support in case you are encountering issue post migration despite group attribute is provided by Radius server under configured value and same group exists in SFOS groups list.  

 -Alok

Hello, can you share screenshots of exactly how this should look in both Radius side and Firewall side settings? We have a group on the Firewall call "Sophos_Web" that we want radius users to be mapped to. These users are members of this group in AD and when they get authenticated with AD, they correctly map to this group. When authenticated with Radius, they are being mapped to the "Open Group". In Radius settings, we have a windows conditions group called "VPN Access" that defines access to use VPN. We had Filter-ID set to "VPN Access" and same in Group name attribute, but it sounds like instead we need Filter-ID to be "Sophos_Web"

and btw, i tested this and it did not work