This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS authentication and backend group membership

Hi,

I am using UTM 9.411-3 on SG210.

I can configure web interface and VPN logins to use either LDAP or RADIUS authentication.

However, when using RADIUS, I don't see any way to handle different groups of users.  A "backend group" is created, but it just says:

    Dynamic membership: User can be authenticated with RADIUS

All RADIUS users are treated identically as far as I can tell.  What I was hoping for was to be able to return an attribute in the RADIUS Access-Accept which lets me put different users in different groups, e.g. so they have access to different parts of the network.

I can do this fine with LDAP - each group can have "Check an LDAP attribute", Attribute "MemberOf", value "<uid of group>".  But I would really rather use RADIUS so that I can add 2FA against a central database.  Alternatively, I'd like to use RADIUS for authentication plus LDAP for group membership.

So in summary my question is: is it possible to assign users to groups via RADIUS response or via separate LDAP query?  If so, how?  And if not, can this be considered for a feature request?

Many thanks,

Brian.

(P.S. the LDAP over SSL security is broken in UTM - it doesn't validate the server certificate. That's a separate problem which I hope Sophos will fix sooner or later).



This thread was automatically locked due to age.
Parents
  • You need to set up the groups on the backend on the RADIUS server. UTM will just send the request to the Radius server, and that server will figure out the request based on which service it's trying to use. To my knowledge, this is something you'd want handled on the radius server anyways so that you can change groups on the radius server and have it update instantly, versus an AD binding which would need to be refreshed manually or on an interval. 

    If you're using Windows Server as the AD/RADIUS, you'd set up different network access policies on the server side and depending on which NAS Identification to pull a different user group(s) from AD. 

    This link has been very helpful to me:

    https://community.sophos.com/kb/pl-pl/115050

     

    Good luck!

  • Services are not a problem: as that article says, the incoming Access-Request has a NAS-Port-Identifier saying what service the user is trying to access.

    It is to do with firewall rules and reachability of the network.

    For example: with LDAP I can create a UTM group (linked to an LDAP group) which has access to particular parts of the internal network. Depending on what LDAP group a user is in, they will be in a different UTM group and thus able to reach different parts of the network.

    There's no equivalent approach with RADIUS that I can see.

  • Sorry, I'm a bit new at this, so maybe I misunderstood your question. This is the setup I have, maybe this isn't what you're trying to accomplish. 

    I currently have my UTM9 device configured to do the following. 

    One Radius client linked to the radius server (with one authentication server on the UTM). From there, I have two policies on the RADIUS server. One is for webadmin, one is for VPN access. On the radius server, each policy is linked to a network access policy, which in turn authenticates with a specific user group in windows AD. 

    So, Group A of users can access via radius to the VPN, Group B access the webadmin (and still authenticate via Radius). Same radius server, same radius client, different network policy access group. 

    Sorry if I misunderstood your question.

     

    -

     

    EDIT: I just re-read your original post... I see you're trying to restrict individual network access as opposed to services on the UTM itself. My bad. 

  • So what I want is:

    * Group A and Group B can both access the VPN

    * When connected to the VPN, Group A can ping 10.10.0.0/16 and Group B can ping 10.20.0.0/16

    This is straightforward to do with LDAP groups, but does not appear to be possible with RADIUS authentication.  And you can't combine RADIUS authentication with LDAP group membership as far as I can see.

    Regards,

    Brian.

  • I understand the issue now... my apologies...

     

    Following this in case anyone else has this type of issue. I'm too new with UTM9 to know of any other viable workarounds. Sorry again for the confusion. 

Reply Children
No Data