Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos XG does not recognize user group returned by NPS RADIUS server

Hello everyone,

I have issue with Sophos XG firewall running SFOS 19.5.4 MR-4-Build718 configured for authentication via RADIUS server running on Windows Server (NPS service) with Azure MFA extension. We use it for MFA for VPN users. It works fine except recognition of user group membership returned in Filter-Id field by NPS server. I have checked with Wireshark that NPS service returns Filter-Id field containing correct user group. However, Sophos XG accept response from NPS server and user get authenticated but user group is not recognized and user falls into Open Group only. Note that I have configured Filter-Id as Group member attribute in Sophos XG definition for RADIUS server. In addition, have checked debug access_server.log on Sophos XG firewall and found following:



Added TAGs
[edited by: Erick Jan at 12:38 PM (GMT -7) on 26 Aug 2024]
  • Thanks for your time over remote session and support.

    As we are unable to replicate the issue, not sure why it's stopped working  with Filter-ID.

    For anyone if it’s not working, you can check following before making any changes.

    1. Enable Debug via CLI: console> system diagnostics subsystems Access-Server debug on 
    2. Attempt for user login
    3. Disable Debug via CLI: console> system diagnostics subsystems Access-Server debug off 
    4. Search for “GroupName Attribute”:   grep "GroupName Attribute" -B 1  -A 1 access_server.log 

    DEBUG     Sep 09 08:38:54.382930Z [RADIUS_AUTH]: (cb_authenticate_user): Authentication OK for User: 'test'
    DEBUG     Sep 09 08:38:54.382944Z [RADIUS_AUTH]: (cb_authenticate_user): GroupName Attribute 'Class': 'Group1'
    DEBUG     Sep 09 08:38:54.382950Z [RADIUS_AUTH]: (cb_authenticate_user): GroupName Attribute 'Class': 'Group2'
    DEBUG     Sep 09 08:38:54.382954Z [RADIUS_AUTH]: (radiusauth_authenticate_user_finish): RADIUS_AUTH: User Authenticated with Server: '172.17.0.51:1812'

    --

    DEBUG     Sep 09 08:42:12.967097Z [RADIUS_AUTH]: (cb_authenticate_user): Authentication OK for User: 'demo'
    DEBUG     Sep 09 08:42:12.967107Z [RADIUS_AUTH]: (cb_authenticate_user): GroupName Attribute 'Filter-Id': 'Group3'
    DEBUG     Sep 09 08:42:12.967114Z [RADIUS_AUTH]: (radiusauth_authenticate_user_finish): RADIUS_AUTH: User Authenticated with Server: '172.17.0.51:1812'

          5. Group info should match with Actual group available in SFOS UI. As above value is something returned from RADIUS server. 
          6. If "GroupName Attribute" value is empty need to check in PCAP, if server is sending value properly in response.  

  • Hello, can you share screenshots of exactly how this should look in both Radius side and Firewall side settings? We have a group on the Firewall call "Sophos_Web" that we want radius users to be mapped to. These users are members of this group in AD and when they get authenticated with AD, they correctly map to this group. When authenticated with Radius, they are being mapped to the "Open Group". In Radius settings, we have a windows conditions group called "VPN Access" that defines access to use VPN. We had Filter-ID set to "VPN Access" and same in Group name attribute, but it sounds like instead we need Filter-ID to be "Sophos_Web"

  • and btw, i tested this and it did not work