VPN with Authentication Active Directory with enumeration blocked

Hi Tecnologias Imaginadas ,

Thank you for reaching out to the community, can you share the screenshot of the config ? And have you created a separate group for SSL VPN Users ? And under the Firewall authentication have you selected the SSL VPN group and what's the standard group set to Open ?

Do you want configuration of what? Active Directory Server?

Yes, 3 groups I need to separate VPN Users are imported to Sophos.

Authentication for all services except Administration is set to this AD Server.

For firewall this is the configuration

but this is nothing to do with SSLVPN!

Are the SSL VPN users part of the group selected in the above config ?

All of SSL VPN Users are part of domain groups, one of them for SSLVPN usage, as users are domain users, not local users!. Is this answering to you question?

One more time I ask what is have to do with VPN Portal and SSLVPN Authentication?

Hello Tecnologias Imaginadas 

As per the authentication behavior on Sophos firewall, everytime when user logs in through any mechanism(VPN Portal/User Portal/SSL VPN) , firewall send that request directly to configured AD server using the "ADS user name" 

Now at AD server, the "ADS user name" will search the "user" within all domain users to identify user attributes(such as group membership etc) so I assume that when you block user enumeration on AD, the "ADS user name" is not able to search the user and hence you are getting "user not found" message.

so, it seems to be necessary to allow enumeration for at least the user that you are using in "ADS user name" and for rest of the group/OU you can deny the read permissions(user enumeration).

Considering the above behavior, I have some queries on your below 2 statement, what's the difference between them, who is able to authenticate and who is not able to authenticate? 

"After configure Server on XGS I can authenticate and retrieve groups/users without problem...
My problem appears when try to authenticate user on VPN Portal/User Portal/SSL VPN..."

Hi.

Hardik_R said:

As per the authentication behavior on Sophos firewall, everytime when user logs in through any mechanism(VPN Portal/User Portal/SSL VPN) , firewall send that request directly to configured AD server using the "ADS user name" 

No... this is not the behavior at some point!

ADS user name is at one OU that enumeration is not blocked and it could retrieve every group of that OU (groups used in UTM). But when one user that belongs to one of these groups try to login it can't and in the logs I can see a failure on search with filter sAMAccouname=xxxxxxx and result on user not found.

This user is at one OU with enumeration blocked.

Only one OU has enumeration allowed for all users.

Every other "normal users" are part of OU that have enumeration blocked.

To simplify verify this, login to any domain system using "ADS user name" and from there run Get-AdUser query in power shell using filter SAMAccountName.

If you get the correct response then permissions are proper for "ADS user name" and same should work for firewall as well however if you see any error then you need to further validate the permissions for "ADS user name".

Hi.

Thanks for you reply.

So (tests already done before open this discussion...):

1. Powershell with user adsusername:   Get-ADUser filter sAMAccountName=uservpn   ->   user IS found 

2. Powershell with user uservpn:   Get-ADUser filter sAMAccountName=uservpn   ->   user NOT found

Reason:

adsusername is located at an OU that enumeration is allowed for all users

uservpn is located at an OU that has enumeration blocked for a group BLOCKENUMERATION

adsusername is NOT member of BLOCKENUMERATION

uservpn IS member of group BLOCKENUMERATION

uservpn IS member of group VPNUSERS (permited to VPN on Sophos XGS)

VPN Result: 

uservpn CAN login to VPNPorta/SSLVPN if NOT member of BLOCKENUMERATION

uservpn CANNOT login to VPNPortal/SSLVPN if IS member of BLOCKENUMERATION

Are adsusername & uservpn part of same OU or different OU?

I've wrote this... so it's obvious the answer...

Tecnologias Imaginadas said:

Reason:

adsusername is located at an OU that enumeration is allowed for all users

uservpn is located at an OU that has enumeration blocked for a group BLOCKENUMERATION