Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Using Azure MFA for SSL VPN and User portal

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended read describes how to use Azure MFA for SSL VPN and User Portal.

Inspiration for this post was taken from https://rieskaniemi.com/azure-mfa-with-sophos-xg-firewall/

One of the things that I’ve seen at work is that Sophos Firewall VPN users are using one token for Sophos SSLVPN and another, for example, Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using can do the “pop-up”, letting the user easily sign in like this:

Nonetheless, it’s easier for the IT dept. (and the user!) to maintain only one token solution Slight smile

Here is the auth flow for Azure MFA with NPS Extension:

Nice, isn’t it 

So how to fix it?

Radius Validation

We set up Sophos Firewall for RADIUS validation for SSLVPN and UserPortal access. If you use the built-in OTP solution, turn it off. 

To get started:

  • If you don’t have MFA turned on for your Office 365/Azure AD accounts, you can turn on it through the following link: https://aka.ms/mfasetup
  • Of course, you need to set Azure AD Connect to get your on-premises talking with Azure. I won’t go into the details here, as I assume this is already set and working. 

Let’s go:

  1. Install the Network Policy Server (NPS) role on your member server or domain controller. Referring to the Network Policy Server Best Practices, you will find this: “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we’ll go ahead and place this on the domain controller, but remember, it’s also possible to do it on a domain-joined member server!
  2. Press “Next,” and the installation begins:

  3. After installation, Download and install the NPS Extension for Azure MFA here:
  4. https://www.microsoft.com/en-us/download/details.aspx?id=54688

Note: As I did try this on a server with already set NPS, it failed with the other mechanisms because of this:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa

Control RADIUS clients that require MFA

Once you turn on MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one.

Configure RADIUS clients for whom you want to require MFA to send requests to the NPS server configured with the extension and other RADIUS clients to the NPS server not configured with the extension.”

So the “workaround” is to run the MFA for the Sophos on a separate NPS instance 

  1. After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-director
  2. Go and configure your radius Client. Here it’s the Sophos Firewall:

    Remember the secret. We need it later on.

  3. Create a “Connection request policy”:

    Type here the IP of the Sophos Firewall

    Just set like above, and the rest of the settings, leave them to their defaults Slight smile

  4. Now, create a “Network Policy.”

    Add a domain group that shall have this access. To simplify, here I have chosen domain\Domain Users.
    Now, for the EAP types, XG does only support PAP, as far as I have tested:


    You’ll get a warning that you have chosen unencrypted auth (locally—not on the internet!). Just press OK.
    Just leave the rest to their defaults and save the policy.

  5. Now, to create a firewall rule:

  6. Now, to set the XG for this:

    Press ADD. Remember to choose RADIUS:

    Fill in as your environment matches:

    Type in the secret you wrote down earlier and create a host object for your NPS. Also, remember to change the timeout from 3 to 15 seconds!

    You can now test if NPS and Azure MFA authentication is working. Change the Group name attribute to “SF_AUTH”

    Press the TEST CONNECTION button:

    Type in a user username (email address) and password, and your phone must pop-up with Microsoft Authenticator 

    You must see this soon after you accept the token:

  7. Now head over to the Authentication –> Services section:

    Add the new RADIUS server to:
    – User portal authentication methods
    – SSL VPN authentication methods

    Also, make sure that the group your AD / RADIUS users are in is added to the SSLVPN profile:

  8. Now login to the User Portal and download a VPN client (You can't use the old ones if you already had those installed)
  9. Now connect through VPN, type in your full email username and password, then wait for MS Authenticator to pop-up, accept the token, and you’re logged into VPN. 

UPDATE: 20/11-2023

Due to recent changes in the module and Entra, you’ll need to add this to the registry of the NPS server:

  1. On the NPS Server, open the Registry Editor.
  2. Go to to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
  3. Create the following String/Value pair:
    • Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
    • Value = FALSE
  4. Restart the NPS Service.

WHY: How number matching works in multifactor authentication push notifications for Microsoft Authenticator | Microsoft Learn

References

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

https://community.sophos.com/kb/en-us/127328

Sourcehttps://martinsblog.dk/sophos-xg-use-azure-mfa-for-sslvpn-and-userportal/




Revamped RR
[edited by: Erick Jan at 5:40 AM (GMT -7) on 9 Oct 2024]
Parents
  • Good day to all,

    thank you twister5800 for the tutorial. I have already implemented and tested this in my LAB environment a long time ago. Currently we are still using this solution with the Sophos SG series and have to adjust the config file on the clients to set the "route-delay" to 2, otherwise the authentication will fail. Since we are now planning to go to the Sophos XGS, I am now testing this variant with the new Sophos Connect client, since in the meantime the old VPN client is phased out anyway. The new client also has advantages with the distribution etc..

    My current problem is that the Sophos Connect client does not connect with Radius and MFA. The authentication arrives, I can confirm it via MS Auth. and the client then runs on Auth. Failure. I have already tested through the timings on the Sophos XGS from 5-30 seconds. Always the same problem. It looks to me that the VPN client gives up way too fast and tries to authenticate a second time and then runs to failure as the Sophos is then already through with the process. With the old client you can also see this very well in the status. There, however, as mentioned, the value helps. With the Sophos Connect the entry is ignored or brings the nothing.

    Has anyone had a similar problem with the implementation and has it perhaps solved. Or does anyone have an idea what else can be done.

    Thanks in advance and a nice rest of the week

    Many greetings
    Alex

Reply
  • Good day to all,

    thank you twister5800 for the tutorial. I have already implemented and tested this in my LAB environment a long time ago. Currently we are still using this solution with the Sophos SG series and have to adjust the config file on the clients to set the "route-delay" to 2, otherwise the authentication will fail. Since we are now planning to go to the Sophos XGS, I am now testing this variant with the new Sophos Connect client, since in the meantime the old VPN client is phased out anyway. The new client also has advantages with the distribution etc..

    My current problem is that the Sophos Connect client does not connect with Radius and MFA. The authentication arrives, I can confirm it via MS Auth. and the client then runs on Auth. Failure. I have already tested through the timings on the Sophos XGS from 5-30 seconds. Always the same problem. It looks to me that the VPN client gives up way too fast and tries to authenticate a second time and then runs to failure as the Sophos is then already through with the process. With the old client you can also see this very well in the status. There, however, as mentioned, the value helps. With the Sophos Connect the entry is ignored or brings the nothing.

    Has anyone had a similar problem with the implementation and has it perhaps solved. Or does anyone have an idea what else can be done.

    Thanks in advance and a nice rest of the week

    Many greetings
    Alex

Children