Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

20.0.0 GA to 20.0.2 MR2 378 - Sophos Connect - SSL VPN - AD Groups not added on authentication

After the XG 210 upgrade to SFOS 20.0.2 MR2 build 378 we now have the issue that firewall rules for AD Group VPN Users no longer work for some SSL VPN users belonging to the AD VPN Users group. We know that IPSEC doesn’t work with AD groups but SSL VPN used to work with AD Group membership rules up to this update. We do not use Remote Access VPN - IPSEC. 

Users now receive the Open Group as primary and no added other groups. We have AD groups VPN Administrators, VPN Power Users, VPN Users descending order. Somehow not all users are affected. The VPN User Group in XG has some members shown on the XG that are not affected (also shown when not logged in or not not logged in for quite some time) all others not shown don’t have the additional groups added on login with Sophos Connect and are affected.

I cannot add the users to the VPN Users group on the XG as the membership doesn’t last. 

is this a known bug? Now having to administer locally for SSL VPN?

TIA,

Fred



Added TAGs
[edited by: Raphael Alganes at 8:40 AM (GMT -8) on 23 Dec 2024]
Parents
  • This sounds like an AD issue to me. 
    You could try to authenticate one user, check the access_server.log on the CLI and doublecheck what groups are delivered by AD. 

    Also double check the AD Server config, if you have multiple AD Servers, maybe one of those servers is not delivering the correct information anymore. 

    Are you using Radius or anything else? 

    __________________________________________________________________________________________________________________

Reply
  • This sounds like an AD issue to me. 
    You could try to authenticate one user, check the access_server.log on the CLI and doublecheck what groups are delivered by AD. 

    Also double check the AD Server config, if you have multiple AD Servers, maybe one of those servers is not delivering the correct information anymore. 

    Are you using Radius or anything else? 

    __________________________________________________________________________________________________________________

Children
No Data