We were testing DUO MFA with LDAP authentication to our Active Directory using the Sophos SSL-VPN. Tan into the "timeout" problem and created a Radius login and server to fix this. Now we are seeing:
1. Initial validation appears to work,
2. DUO MFA request is sent to the phone for authentication .
3. Once returned, the authorization fails at final login.
I'm wondering if this is because of something changed in the way groups our handled?
All users are members of our AD Group "VPN Users
What's the missing link?
I wrote a big write-up on using DUO with Sophos when MR-3 was the release version - https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa
Did you use MR4 and do you have in Radius the Domain of your UPN included?
We have MR4. Have been attempting both SAM and UPN user names. When I "test connection" it appears to be fine.
You need to specify in XG under Server - Radius Server the UPN (Domain) for Radius. This is required to not generate a extra user, instead using the old AD user (username+UPN).
Hi....LuCar, Toni....many thanks for your note. Yes, we've specified that in the Radius server setup under "Domain name" we have our AD domain. One thing I was wondering whether the Radius server name needs to be something specific..... is that what you are referring to? For the Server IP we have our authproxy server. This is set using the ad_client in the [radius_server_auto] of the authproxy.cfg file.
Although MR-4 added support for UPNs, it still doesn't support AD Groups when using XG RADIUS, with DUO Radius Server and LDAP client. Still the only way to get group support is the method I outlined 'XG AD Server, DUO LDAP client and server' but it has the significant problem that the timeout is five seconds and that can't be changed.