cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3291
Views
0
Helpful
3
Replies

Sophos UTM - Active Directory

Les1
Level 1
Level 1

Hello,

First time posting here :). I am having some difficulty getting Sophos UTM working with my local Active Directory domain. I have followed the instructions available on the Duo site and I can authenticate with my Duo proxy which is configured with ‘[radius_server_auto]’ and which returns ‘server test passed’. I also have a ‘[cloud]’ section in the config file which allowed for AD Sync on the Duo website (this also works fine). If I however try to do a test authentication with an AD account through the Sophos UTM and select ‘ssl’ as ‘nas’ identifier, the following event is thrown ‘Radius authentication failed’ and ‘No groups have been found for this user’. What am I missing here?

Example of [ad_client]
[ad_client]
host=192.168.1.1
service_account_username=name
service_account_password=password
search_dn=CN=Users,DC=corp,DC=domain,DC=com
security_group_dn=CN=VPNUsers,CN=Users,CN=corp,CN=domain,CN=com

Any help you can offer up would be much appreciated :).

Les

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

A quick thought is to try it without the security_group_dn specified.

Second thought - are you assigning access profiles based on LDAP group membership? RADIUS using ad_client won’t be able to return groups info from AD to your UTM.

If that’s the case, please contact Duo Support for 1:1 assistance.

Duo, not DUO.

View solution in original post

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

A quick thought is to try it without the security_group_dn specified.

Second thought - are you assigning access profiles based on LDAP group membership? RADIUS using ad_client won’t be able to return groups info from AD to your UTM.

If that’s the case, please contact Duo Support for 1:1 assistance.

Duo, not DUO.

Jeremy_Kennedy
Level 1
Level 1

what was the actual solution? I have the same issue

Are you also assigning access profiles based on LDAP group membership? It’s still the case that this can’t be passed through the Duo Authentication Proxy in an ad_client + radius_server_nnn configuration.

To elaborate further on solutions for this, one could either switch to an all LDAP config with ad_client+ldap_server_auto for getting a user’s group memberships, or an all RADIUS config with radius_client and radius_server_nnn with NPS used as the primary RADIUS auth server and configuring it to pass through group information from AD as a RADIUS attribute. This article mentions passing group info to FortiGate devices but the gist would apply to your Sophos device as well.

Duo, not DUO.
Quick Links