Converting from LDAP to Radius Authentication for DUO MFA with Sophos SSL-VPN

I wrote a big write-up on using DUO with Sophos when MR-3 was the release version - https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa

Although MR-4 added support for UPNs, it still doesn't support AD Groups when using XG RADIUS, with DUO Radius Server and LDAP client. Still the only way to get group support is the method I outlined 'XG AD Server, DUO LDAP client and server' but it has the significant problem that the timeout is five seconds and that can't be changed.

I wrote a big write-up on using DUO with Sophos when MR-3 was the release version - https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa

Although MR-4 added support for UPNs, it still doesn't support AD Groups when using XG RADIUS, with DUO Radius Server and LDAP client. Still the only way to get group support is the method I outlined 'XG AD Server, DUO LDAP client and server' but it has the significant problem that the timeout is five seconds and that can't be changed.

Hi....JasP....yes your "3-ways... article" was really helpful, and we originally had switched to what I believe was your preferred option; using the DUO RADIUS server configuration with an ad_client section for authentication. This appeared to work fine as far as the DUO MFA,  but then when DUO returned the authorization it appeared that there was change in the username and/or domain from the original  username.  This was finally resolved by making a change to the domain name parameter in our Radius Config on the XG.  It now appears to work as expected, and tests with a half-dozen users so far suggest that it is solid. We're in the process of rolling out to additional users and will see how it performs under load. Many thanks for all your help.   

I'm glad you found it useful and thanks for the feedback. It was a fair bit of work so its always good to hear that someone found it helpful.