pptp vpn - authenticate all AD users

Zane,

welcome onboard. For PPTP and L2TP, you need to use RADIUS because of MIcrosoft limitation. See this thread: https://community.sophos.com/products/xg-firewall/f/124/p/75405/293038#pi394=1

PPTP, also is an ensecure protocol, because authentication is sent in clear text. Use Sophos SSL VPN insted or L2TP with Radius.

so I would need to use ssl vpn to authenticate directly against AD without the radius server?  will this work with the windows vpn client?

Zane,

it will work against AD users. On Windows Client, you need to download and install the Sophos SSL vpn client from user portal.

I had to find the user portal, I have never used it.  it did not have a vpn client listed.

Zane,

from https://www.sophos.com/en-us/medialibrary/PDFs/documentation/Sophos-XG-Firewall-Administrator-Guide.pdf?la=en on page 293 you can find how to configure an SSL VPN.

By default the user portal is enabled on LAN and WAN zone and port is 443. Anyway you can check it on System > Administration > Device Access and checks that User Portal is enabled. To check the user portal port, go back to Settings inside Administration again.

Hi Zane,

Just coming back to your original question, you can allow PPTP, L2TP or SSL VPN via the AD Group Membership. Simply put you import the AD groups you are interested in and then you can enable these features for the group. A users group membership is checked whenever the appliance performs an authentication against the AD.

As indicated by Luk, in order to authenticate LT2P or PPTP connections against AD you will need to use RADIUS. This functionality can be provided by Microsoft Network Policy Server (NPS).

Hi Zane,

Just coming back to your original question, you can allow PPTP, L2TP or SSL VPN via the AD Group Membership. Simply put you import the AD groups you are interested in and then you can enable these features for the group. A users group membership is checked whenever the appliance performs an authentication against the AD.

As indicated by Luk, in order to authenticate LT2P or PPTP connections against AD you will need to use RADIUS. This functionality can be provided by Microsoft Network Policy Server (NPS).