https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881610#M754 <DIV class="duo-migrated-content"><P><CODE>radius_ip_1</CODE> would be the IP address of the device sending an authentication request to the Duo proxy, so it would be the XG’s IP, and <CODE>radius_secret_1</CODE> would be the secret shared with the XG in all RADIUS configurations.</P></DIV> Fri, 09 Apr 2021 12:26:54 GMT DuoKristina 2021-04-09T12:26:54Z https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881607#M751 <DIV class="duo-migrated-content"><P>hello everyone , i would like to know if it is possible to implement Duo authentication proxy to authenticate with local user database in sophos xg appliance instead active directory and radius server.</P> <P>regards,<BR /> ernof</P></DIV> Thu, 08 Apr 2021 11:41:46 GMT https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881607#M751 er_nof 2021-04-08T11:41:46Z https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881608#M752 <DIV class="duo-migrated-content"><P>No, there is no way to point the Duo Authentication Proxy to your local Sophos XG user database for primary authentication.</P> <P>What is possible though, if the Sophos XG supports chained authenticators (so you could have separate primary and secondary authentication, and success for the first is required before it will move on to the second), is to point primary authentication to your local database and then add the Duo proxy as a RADIUS server for secondary authentication only with <A href="https://duo.com/docs/authproxy-reference#radius-duo-only">the <CODE>[radius_server_duo_only]</CODE> configuration</A>. In this configuration the Duo proxy only performs 2FA.</P> <P>It isn’t clear if the XG can support this though. Looking <A href="https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/AuthenticationServices.html">here</A> it says “When more than one server is selected, the authentication request is forwarded in the order indicated.” which could mean it isn’t chaining authentication servers, but that it will try the servers until one works, and then stop. Verify the authentication server capabilities of the XG with Sophos.</P></DIV> Thu, 08 Apr 2021 14:08:54 GMT https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881608#M752 DuoKristina 2021-04-08T14:08:54Z https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881609#M753 <DIV class="duo-migrated-content"><P>Hi DuoKristina,</P> <P>Thank you for the confirmation and i will check if my customer’s sophos xg support chained authenticator or not. Fyi, my customer need duo to add authentication for sslvpn access</P> <P>Under radius_server_duo_only configuration, i still confused what value should i input at radius_ip_1 and radius_secret_1. For radius_ip_1, is it correct if I put the ip address of the user who is allowed sslvpn access?</P></DIV> Fri, 09 Apr 2021 11:58:55 GMT https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881609#M753 er_nof 2021-04-09T11:58:55Z https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881610#M754 <DIV class="duo-migrated-content"><P><CODE>radius_ip_1</CODE> would be the IP address of the device sending an authentication request to the Duo proxy, so it would be the XG’s IP, and <CODE>radius_secret_1</CODE> would be the secret shared with the XG in all RADIUS configurations.</P></DIV> Fri, 09 Apr 2021 12:26:54 GMT https://community.cisco.com/t5/managing-users/duo-authentication-with-local-user-database-sophos-xg/m-p/4881610#M754 DuoKristina 2021-04-09T12:26:54Z