Disclaimer: This information is posted as-is and the content should be referenced at your own risk
Some of the things that I’ve seen at work, is that Sophos XG VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:
Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution [:)]
Here is the auth flow for Azure MFA with NPS Extension:
Nice isn’t it [;)]
So how to fix?
We setup Sophos XG for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that [:)]
To get started:
Remember the secret, we need it later on [:)]
Type here the IP of the XG
Just set like above, and the rest of the settings, just leave them to their defaults [:)]
Add a domain group, that shall have this access, to simplify, here I have choose domain\Domain UsersNow the EAP types, XG does only support PAP, as far as I have tested:You will get a warning telling you that you have chosen unencrypted auth (locally – not on the Internet!), just press OK.Just left the rest to their default’s and save the policy.
Remember to choose RADIUS:
Fill in as your environment matches:
Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!
You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”
Press the TEST CONNECTION button:
type in a users username (e.mail address) and password, and your phone should pop-up with Microsoft Authenticator [:)]
You should see this soon after you accept the token:
Add the new RADIUS server to:– User portal authentication methods– SSL VPN authentication methods
Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:
Yes i have :-)
have you follwed this, just for running without mfa?
Sophos XG Firewall: How to configure RADIUS for Enterprise Wireless Authentication with Windows Server
Remember to set the authentication…
just to clarify something. With this setup all users will fall into Open Group, which is wrong for fully configured XG.
You need to set RADIUS Attribute "Filter-Id" on your NPAS server Network policy as XG group name which the user should go to.
Then in service server settings on XG "Group name attribute" needs to be "Filter-Id" not "SF_AUTH" or anything else.
This way you pass value of Filter-Id from RADIUS to Sophos XG and user is added to desired group.
Hope this helps ...