Sophos (XG) Firewall: Authentication Methods

Note: Please get in touch with Sophos Professional Services if you require assistance with your specific environment.

This guide provides an overview of supported authentication methods and configuring them on the Sophos (XG) firewall.


  • Hotspot authentication is checked when a hotspot is active on the interface the traffic is coming from. The wireless hotspot authentication is primarily used to provide internet access to guests and restrict unwanted traffic on normal networks. 

Clientless Users

  • Clientless users don’t authenticate using a username and password but are identified purely by their IP address. Clientless users are always authenticated locally by the XG Firewall. Typically you would use clientless users to control network access for servers or devices such as printers and VoIP phones. You can also configure people as clientless users, for example, senior executives, for whom you don't want to require a sign-in when they're within the network. If you configure users rather than network devices, we recommend that you map the users with static IP addresses on your DHCP server.
  • You can create clientless users individually or as a group. You can then edit each user's configuration and specify the policies and bandwidth usage.
  • Clientless users appear as live users in current activities. If you deactivate these users, they don't appear as live users.

Single-Sign-On (SSO)

The XG Firewall has several methods for authenticating users for single sign-on:

Sophos Authentication for Terminal Client(STAS)

Sophos Authentication for Terminal/Thin Client (SATC)

Synchronized User Identity

  • Synchronized user ID authentication uses the Security Heartbeat to provide user authentication for endpoint users.
  • Synchronized user ID works with Active Directory (AD) configured as an authentication server in Sophos Firewall and is currently supported for Windows 7 and Windows 10. No agents are required on the server or clients, nor does it share or use any password information. The synchronized user ID doesn't work with other directory services, and it doesn't recognize local users. The synchronized user ID shares the domain user account information from the endpoint device the user is signed in to with Sophos Firewall via Security HeartbeatSophos Firewall then checks the user account against the configured AD server and activates the user.
  • Sophos Endpoint Protection passes Windows sign-in information to Sophos FirewallSophos Firewall uses this information to authenticate against AD. This authentication is used to trigger user-based policies and general user authentication on the firewall.



  • The Sophos XG Firewall can transparently authenticate users who have already been authenticated on an external RADIUS server. The firewall does not interact with the RADIUS server, but simply monitors the RADIUS accounting records that the server sends. These records generally include the user’s IP address and user group.

Kerberos/NTLM SSO

Chromebook SSO

  • XG Firewall provides a Chromebook extension that shares Chromebook user IDs with the Firewall to turn on full user-based policy enforcement and reporting.

Authentication Agent

Web (Captive Portal) Authentication

Related Links

  1. Sophos XG Firewall: How to allow branch office users to authenticate with the head office Active Directory Server
  2. Sophos XG Firewall: How to allow Clientless SSO (STAS) authentication over a VPN

[edited by: H_Patel at 4:55 PM (GMT -7) on 13 Jul 2021]