Sophos Xg 2fa



Inspiration for this post, was taken from: https://rieskaniemi.com/azure-mfa-with-sophos-xg-firewall/

Some of the things that I’ve seen at work, is that Sophos XG VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:

Implementation of 2FA for domain level user authentication. Need a detail training session when purchasing it. Read full review. It is a good and pleasant experience to use Sophos XG firewall and it offers more then what we expect and the price is ok in the current market level. Read full review. Dec 02, 2019 Virtually every Sophos product comes with this option (Sophos UTM, Sophos Central, Sophos XG Firewall and others). For example, Sophos Central 2FA can be done via SMS or a 2FA application, which allows for switching to our Slim NFC hardware token. And thus upping the Sophos 2FA security level to the highest. XG can do a authentication against a Radius OR a AD Server. So you get a username+password and XG and XG can forward this to a Radius OR AD to check, if this is a valid request. If you use AD Server, there is no Integration of DUO what soever. DUO and other systems offer a radius server. If you setup a radius authentication, XG will create a.

Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution 🙂

Authentication

Here is the auth flow for Azure MFA with NPS Extension:

Nice isn’t it 😉

So how to fix?

We setup Sophos XG for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that 🙂

To get started:

  • If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
  • And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working 🙂

Let’s go:

  1. Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!
  2. Press “Next” and the installation begins:

  3. After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):
  4. Download and install the NPS Extension for Azure MFA here:
    https://www.microsoft.com/en-us/download/details.aspx?id=54688
    Note: As i did try this on a server with already setup NPS, it failed with the other mechanisms, because of this:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa

    Control RADIUS clients that require MFA

    Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.

    Configure RADIUS clients that you want to require MFA to send requests to the NPS server configured with the extension, and other RADIUS clients to the NPS server not configured with the extension.”

    So the “workround” is to run the MFA for the Sophos on a seprate NPS instance 🙂

  5. After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
  6. Go and configure your radius Client, here it’s the XG:

    Remember the secret, we need it later on 🙂

  7. Create a “Connection request policy”:


    Type here the IP of the XG

    Just set like above, and the rest of the settings, just leave them to their defaults 🙂

  8. Now create a “Network Policy”

    Add a domain group, that shall have this access, to simplify, here I have choose domainDomain Users
    Now the EAP types, XG does only support PAP, as far as I have tested:


    You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
    Just left the rest to their default’s and save the policy.

  9. Now to create a firewall rule:
  10. Now to setup the XG for this:

    Press ADD:

    Remember to choose RADIUS:

    Fill in as your environment matches:

    Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!

    You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”

    Press the TEST CONNECTION butoon:

    type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator 🙂

    You should see this soon after you accept the token:

  11. Now head over to the Authentication –> Services section:

    Add the new RADIUS server to:
    – User portal authentication methods
    – SSL VPN authentication methods

    Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:

  12. Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
  13. Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN 🙂
2fa

Sources:

Sophos Xg Duo 2fa

Related Posts

2fa

Secure access to Sophos Firewall XG RADIUS with SAASPASS multi-factor authentication (MFA) and secure single sign-on (SSO) and integrate it with SAML in no time and with no coding. Log into yourSophos Firewall XG RADIUS services securely without ever having to remember passwords on both your computer and mobile with SAASPASS Instant Login (Proximity, Scan Barcode, On-Device Login and Remote Login).

Sophos Xg 2fa Software

You can enable Sophos Firewall XG RADIUS login with SAASPASS secure single sign-on (SSO) and provide your users the ability to login toSophos Firewall XG RADIUS and other SAASPASS integrated apps, all at once.

Enable Sophos Firewall XG RADIUS login with SAASPASS secure single sign-on (SSO) and allow users to login to Sophos Firewall XG RADIUS and other SAASPASS integrated apps, all at once.

Sophos Xg 2fa Admin

Two-step verification and secure single sign-on with SAASPASS will help keep your firm’s Sophos Firewall XG RADIUS access secure.

Provide the easiest to use and most convenient secure access toSophos Firewall XG RADIUS with SAASPASS two-factor authentication and single sign-on (SSO) with SAML integration. Integration requires no coding and takes a matter of minutes. Log into yourSophos Firewall XG RADIUS securely without remembering passwords on both your computer and mobile with SAASPASS Instant Login (Proximity, Scan Barcode, On-Device Login and Remote Login).

Sophos Utm 2fa Vpn

Sophos Xg 2fa

You can integrate SAASPASS with Active Directory. SAASPASS supports SAML and RESTful APIs as well.

Sophos Xg Firewall

The SAASPASS app works on nearly every device on the market today: Android phones, Android tablets, iPhones, iPads, Blackberrys and Java ME feature phones.

Enable Sophos Firewall XG RADIUS login with SAASPASS secure single sign-on (SSO) and allow your users to login to Sophos Firewall XG RADIUSand other SAASPASS integrated applications, all at once.

Sophos Xg 2fa Download

Secure single sign-on (SSO) and two-step verification with SAASPASS will help keep your firm’s Sophos Firewall XG RADIUS secure.





Comments are closed.