Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 23 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 42214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BYOD - SSO RADIUS Possible?

JamesE
I've looked at this support article: How to use RADIUS Authentication: Astaro Security Gateway/Sophos UTM

My understanding is that is just for getting back end user memberships and would not authenticate client side.

What we want to do is have our BYOD network clients authenticate with our UTM via their already typed in RADIUS credentials. This may not even be possible (i.e. not very familiar with RADIUS), or it may not be possible with version 9.208 (thus requiring a feature).

Currently we use the browser auth but this is not ideal. Thoughts? Obviously a key factor is that our users don't have to install anything, join the domain, or enter too many settings. The only other solution I can see is having them manually specify proxy settings with a username/password.


This thread was automatically locked due to age.
  • 0

    Hey all,

    Sorry to drag up the old thread again but it seems we have a development on this. 9.4 contains STAS which, from what I understand, helps with SSO. However, it mentions that this is only for domain joined machines.

    Does anyone know if this will help with the authentication of BYOD (Guest) clients in our network?

    Brendan

  • 0 in reply to brendan.daniel

    STAS will only work for clients that are member of Active Directory domain, because the service is tightly integrated with domain controller security log for reading logon/logoff events.

  • 0 in reply to vilic

    What about if the BYOD clients are authenticating via radius against the domain controllers?

  • 0 in reply to vilic

    Has anyone tried STAS for users authenticating via RADIUS?

  • 0 in reply to brendan.daniel

    I'm trying to achieve the same thing.  Did you ever get anywhere with this?

  • 0 in reply to colly72

    I have asked Sophos Support and they ignored the question and moved on to closing the job. I also had a direct email conversation with Aus support manager about a few things, I asked him directly if this was able to achieve authentication for BYOD users via Radius and he didn't reply to that email, never heard back from him...

    Other firewall providers have been doing this for quite some time. Meru (our wireless provider) couldn't believe Sophos don't do this already. Lucky our firewalls are up for renewal, a chance to look at the competition...

  • 0

    It's not possible to do SSO with RADIUS.  Do you have Active Directory?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, the Radius server is authentication to AD. The users have AD credentials but the machines are not members of my domain as they are BYOD personal machines.

  • 0 in reply to brendan.daniel

    Did you ever get this to work? 

  • 0 in reply to envercpt

    We have a setup similar to this.

    Corporate & Guest using Cisco Routers/switches etc & Ubiquiti UAP Pro's. Our corporate devices using machine authentication. Our guests use user authentication. Both from AD. This allows our users to use the same password as they use to logon to the network so they only need to remember one password.

    Their devices are isolated via vlans and ACL's. Only corporate devices can get onto the corporate network due to machine authenticaton. So even though the user knows the password to authenticate on the corporate network, they can't get on unless we have specifically allowed the pc, laptop on.

    You need two profiles on the radius server CORP (machine authentication) & GUEST (user authenication) with machines/users placed in the various profiles/groups.
    CORP profile is 1st in list as users will drop straight through this to GUEST profile

Unfiltered HTML