Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Authentication Methods


Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Clientless Users

  • Clientless users don’t authenticate using a username and password but are identified purely by their IP address. Clientless users are always authenticated locally by the Sophos Firewall Firewall. Typically you would use clientless users to control network access for servers or devices such as printers and VoIP phones. You can also configure people as clientless users, for example, senior executives, for whom you don't want to require a sign-in when they're within the network. If you configure users rather than network devices, we recommend that you map the users with static IP addresses on your DHCP server.
  • You can create clientless users individually or as a group. You can then edit each user's configuration and specify the policies and bandwidth usage.
  • Clientless users appear as live users in current activities. If you deactivate these users, they don't appear as live users.

Single-Sign-On (SSO)

The Sophos Firewall Firewall has several methods for authenticating users for single sign-on:

Sophos Authentication for Terminal Client(STAS)

Sophos Authentication for Terminal/Thin Client (SATC)

Synchronized User Identity

  • Synchronized user ID authentication uses the Security Heartbeat to provide user authentication for endpoint users.
  • Synchronized user ID works with Active Directory (AD) configured as an authentication server in Sophos Firewall and is currently supported for Windows 7 and Windows 10. No agents are required on the server or clients, nor does it share or use any password information. The synchronized user ID doesn't work with other directory services, and it doesn't recognize local users. The synchronized user ID shares the domain user account information from the endpoint device the user is signed in to with Sophos Firewall via Security HeartbeatSophos Firewall then checks the user account against the configured AD server and activates the user.
  • Sophos Endpoint Protection passes Windows sign-in information to Sophos FirewallSophos Firewall uses this information to authenticate against AD. This authentication is used to trigger user-based policies and general user authentication on the firewall.



  • The Sophos Sophos Firewall Firewall can transparently authenticate users who have already been authenticated on an external RADIUS server. The firewall does not interact with the RADIUS server, but simply monitors the RADIUS accounting records that the server sends. These records generally include the user’s IP address and user group.

Kerberos/NTLM SSO

Chromebook SSO

  • Sophos Firewall Firewall provides a Chromebook extension that shares Chromebook user IDs with the Firewall to turn on full user-based policy enforcement and reporting.

Authentication Agent

Web (Captive Portal) Authentication

Related Links

  1. Sophos Firewall: How to allow branch office users to authenticate with the head office Active Directory Server
  2. Sophos Firewall: How to allow Clientless SSO (STAS) authentication over a VPN


Added Overview, Updated Table of Contents.
[edited by: Raphael Alganes at 11:19 AM (GMT -8) on 4 Dec 2023]