Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 172 views
  • Users 0 members are here
Options
Suggested

Problems with using full UPN as username

LuNie

Hello everyone,


let me quickly recap our current situation. We are in the process of changing our company-wide login procedure from the Windows user name (sAMAccountName) to the e-mail address or UPN (userPrincipalName). The primary e-mail address is the same as the UPN. Please note that we are a multinational company which means that we use different UPN suffixes with a country specific domain.
Unfortunately we are facing some problems with the Sophos products:


Intercept X:
We use Intercept X on all clients with Synchronized Security enabled and authentication via Heartbeat on our firewall. Unfortunately, there is a lack of full support for the UPN. Intercept X only uses a crippled pseudo implementation by combining sAMAccountName with the UPN suffix. Unfortunately, the UPN prefix is not always the same as the sAMAccountName as the length is limited, which is not the case with the UPN. You are also limited to “Active Directory” as the authentication server, as this is the only one supported and here you also have to use workarounds for each suffix to set up several identical AD connections with each suffix. User or VPN portal can be configured via LDAP connection which uses the UPN nicely. In this case, having duplicate users makes reporting a pain.

This strange combination is also described here: https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/SophosCentral/SecurityHeartbeatOverview/SynchronizedUserIDAuthentication/index.html


Remote access VPN:
We use Radius as authentication server for VPN. Here the domain field is optional, but if you leave it out to login with the full UPN, the login fails. Apparently not the whole UPN is used here but only the prefix and because no domain is specified in the configuration, this is cut off. I would think that the complete UPN is used for the synchronization.

However, it is also described here that only the user name is used without a completed domain: https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/RADIUS/AuthenticationRADIUSServerAdd/index.html


My question is how to solve the problem that I can use the full UPN as user name without creating the same user twice because it is different from the sAMAccountName and how to make RADIUS work with multiple UPNs. Are we the only company facing these problems with multiple UPNs or the problem that Intercept X uses sAMAccountName?

Best Regards
Lukas



Edited TAGs
[edited by: Raphael Alganes at 2:30 PM (GMT -8) on 21 Jan 2025]
Parents Reply Children
No Data
Unfiltered HTML