This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BYOD - SSO RADIUS Possible?

I've looked at this support article: How to use RADIUS Authentication: Astaro Security Gateway/Sophos UTM

My understanding is that is just for getting back end user memberships and would not authenticate client side.

What we want to do is have our BYOD network clients authenticate with our UTM via their already typed in RADIUS credentials. This may not even be possible (i.e. not very familiar with RADIUS), or it may not be possible with version 9.208 (thus requiring a feature).

Currently we use the browser auth but this is not ideal. Thoughts? Obviously a key factor is that our users don't have to install anything, join the domain, or enter too many settings. The only other solution I can see is having them manually specify proxy settings with a username/password.

This thread was automatically locked due to age.

Parents

0 BAlfson over 8 years ago

It's not possible to do SSO with RADIUS. Do you have Active Directory?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 8 years ago

It's not possible to do SSO with RADIUS. Do you have Active Directory?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 brendan.daniel over 8 years ago in reply to BAlfson

Yes, the Radius server is authentication to AD. The users have AD credentials but the machines are not members of my domain as they are BYOD personal machines.
Cancel
Vote Up 0 Vote Down

Cancel
0 envercpt over 6 years ago in reply to brendan.daniel

Did you ever get this to work?
Cancel
Vote Up 0 Vote Down

Cancel
0 Louis-M over 6 years ago in reply to envercpt

We have a setup similar to this.

Corporate & Guest using Cisco Routers/switches etc & Ubiquiti UAP Pro's. Our corporate devices using machine authentication. Our guests use user authentication. Both from AD. This allows our users to use the same password as they use to logon to the network so they only need to remember one password.

Their devices are isolated via vlans and ACL's. Only corporate devices can get onto the corporate network due to machine authenticaton. So even though the user knows the password to authenticate on the corporate network, they can't get on unless we have specifically allowed the pc, laptop on.

You need two profiles on the radius server CORP (machine authentication) & GUEST (user authenication) with machines/users placed in the various profiles/groups.
CORP profile is 1st in list as users will drop straight through this to GUEST profile
Cancel
Vote Up 0 Vote Down

Cancel
0 brendan.daniel over 6 years ago in reply to envercpt

It works with Cloudpath ES & Ruckus AP's forwarding accounting info on to our XG firewall. Never ended up being supported on UTM as far as I know.
Cancel
Vote Up 0 Vote Down

Cancel
0 envercpt over 6 years ago in reply to brendan.daniel

This article helped:

community.sophos.com/.../131580

On the Ruckus ZoneDirector WLC you need to enable accounting on a per-WLAN basis which is not enabled by default.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to envercpt

Guys, this is the UTM Community. That this is possible with Cyberoam/XG is interesting though.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel