This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS or AD Authenticated user is not showing active Remote Access VPN session

We use RADIUS or AD to authenticate the Remote VPN clients.  One issue we discovered is the RADIUS or AD authenticated users are not showing as "Online Users" in the Remote Access section.  We can tell the user is connected by the log.  However, it doesn't show in the GUI.  We found this issue is because of those users don't have an account in the "Users & Groups".  If I enable "Create user automatically" with End-user Portal and ask the user to sign in the End User Portal that authenticates with RADIUS, the auto account creation will add the user automatically.  Once the auto created user account exist in the UTM, it will show the VPN connection state in Remote Access.  

The issue is for those users just authenticate with RADIUS or AD without sign in the end user portal, their remote VPN connection is invisible.  This is a security risk that the system allows phantom VPN connection.  The system administrator is not going to be able to detect if there is any suspicious VPN connection to the network.  

Sophos needs to improve the interface to show VPN connection with external authenticated users or create user automatically when the users authenticate in VPN.



This thread was automatically locked due to age.
Parents
  • You're asking great questions here.

    To have secure and verifiable remote access, I recommend against using pre-shared keys.  The SSL VPN requires X509 certs.  L2TP/IPsec and IPsec can be configured to use certs.

    Instead of asking users to login to the User Portal, you can load/update users automatically.  Here's what I have setup on the 'Advanced' tab of 'Authentication Services'.

    You can bulk download the remote access configurations by checking the box beside the names you want to have remote access and clicking on the drop-down beside 'Action' at the top of the list.  This is extra work for the administrator, but it eliminates having folks learn to use the User Portal

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • You're asking great questions here.

    To have secure and verifiable remote access, I recommend against using pre-shared keys.  The SSL VPN requires X509 certs.  L2TP/IPsec and IPsec can be configured to use certs.

    Instead of asking users to login to the User Portal, you can load/update users automatically.  Here's what I have setup on the 'Advanced' tab of 'Authentication Services'.

    You can bulk download the remote access configurations by checking the box beside the names you want to have remote access and clicking on the drop-down beside 'Action' at the top of the list.  This is extra work for the administrator, but it eliminates having folks learn to use the User Portal

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data