Disclaimer: This information is posted as-is and the content should be referenced at your own risk
Some of the things that I’ve seen at work, is that Sophos Firewall VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:
Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution [:)]
Here is the auth flow for Azure MFA with NPS Extension:
Nice isn’t it [;)]
So how to fix?
We setup Sophos Firewall for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that [:)]
To get started:
Let’s go:
Remember the secret, we need it later on [:)]
Type here the IP of the Sophos Firewall
Just set like above, and the rest of the settings, just leave them to their defaults [:)]
Add a domain group, that shall have this access, to simplify, here I have choose domain\Domain UsersNow the EAP types, Sophos Firewall does only support PAP, as far as I have tested:You will get a warning telling you that you have chosen unencrypted auth (locally – not on the Internet!), just press OK.Just left the rest to their default’s and save the policy.
Press ADD:
Remember to choose RADIUS:
Fill in as your environment matches:
Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!
You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”
Press the TEST CONNECTION button:
type in a users username (e.mail address) and password, and your phone should pop-up with Microsoft Authenticator [:)]
You should see this soon after you accept the token:
Add the new RADIUS server to:– User portal authentication methods– SSL VPN authentication methods
Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:
References:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices
https://community.sophos.com/kb/en-us/127328
Source: https://martinsblog.dk/sophos-xg-use-azure-mfa-for-sslvpn-and-userportal/
Additional special thanks to Rieski for his contributions to this content!
Great :-)
-----
Best regardsMartin
Sophos XGS 2100 @ Home | Sophos v19 Architect
Thanks for the howto! Small hint from my side:
If your system language isn't english, you have to translate "Network Service" at the powershell script to your language.
Otherwise it will fail with "Unable to grant certificate private key access to NETWORK SERVICE. Please grant access manually."
Hi Jonnie,
have you tried the german article? :-)
https://docs.microsoft.com/de-DE/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
Yes, I can switch the documentation to german, but there is no german NPS extension file to download. With the setup file comes the powershell script which is looking for "Network Service" instead of "Netzwerkdienst". So the script stops at my german server. ;)
Ahh - did not see german ui og the server was installed :-)
Hmm...try to switch language UI back to english and rerun, I do not know is there are other things failing or not being adjusted because of this :-)
Hello,
I tried for few days to activate this features, but unfortunately it doesn't work
We already have some device connected to our RADIUS server. When I tried a basic connexion between Sophos and Radius (without nps extension installed) I have an error :
EventData SubjectUserSid S-1-0-0 SubjectUserName ertr SubjectDomainName SYD FullyQualifiedSubjectUserName SYD\ertr SubjectMachineSID S-1-0-0
AuthenticationType PAP
so both are able to talk, but for un unknown reason, the SID is always the same (S-1-0-0) and the Fully Qualified Subject User Name is not right properly. I can't find the settings on the Sophos to change it ?
Thanks for your help on this
Hi,,Are you aware of this?
Note: As i did try this on a server with already setup NPS, it failed with the other mechanisms, because of this:https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa”
Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.
Configure RADIUS clients that you want to require MFA to send requests to the NPS server configured with the extension, and other RADIUS clients to the NPS server not configured with the extension.”
So the “workround” is to run the MFA for the Sophos on a seprate NPS instance
yes I read a lot of documentation about RADIUS, and as I said, to begin I just want to test the basic authentication from Sophos without MFAis your lab still up on running ? Do you have the same \ in the FQQUN ? Because if I look at the Event Viewer for other wifi connexion, there is only /, and the SID is good with more numbers
Yes i have :-)
have you follwed this, just for running without mfa?
Sophos XG Firewall: How to configure RADIUS for Enterprise Wireless Authentication with Windows Server
Remember to set the authentication order so you have your radius listed in "Firewall authentication" :-)