We were testing DUO MFA with LDAP authentication to our Active Directory using the Sophos SSL-VPN. Tan into the "timeout" problem and created a Radius login and server to fix this. Now we are seeing:
1. Initial validation appears to work,
2. DUO MFA request is sent to the phone for authentication .
3. Once returned, the authorization fails at final login.
I'm wondering if this is because of something changed in the way groups our handled?
All users are members of our AD Group "VPN Users
What's the missing link?
I wrote a big write-up on using DUO with Sophos when MR-3 was the release version - https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa
Although MR-4 added support for UPNs, it still doesn't support AD Groups when using XG RADIUS, with DUO Radius Server and LDAP client. Still the only way to get group support is the method I outlined 'XG AD Server, DUO LDAP client and server' but it has the significant problem that the timeout is five seconds and that can't be changed.