Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3290
Views
0
Helpful
3
Replies

Sophos UTM - Active Directory

Go to solution
Les1
Level 1
Level 1

‎11-16-2018 04:56 AM

Hello,

First time posting here :). I am having some difficulty getting Sophos UTM working with my local Active Directory domain. I have followed the instructions available on the Duo site and I can authenticate with my Duo proxy which is configured with ‘[radius_server_auto]’ and which returns ‘server test passed’. I also have a ‘[cloud]’ section in the config file which allowed for AD Sync on the Duo website (this also works fine). If I however try to do a test authentication with an AD account through the Sophos UTM and select ‘ssl’ as ‘nas’ identifier, the following event is thrown ‘Radius authentication failed’ and ‘No groups have been found for this user’. What am I missing here?

Example of [ad_client]
[ad_client]
host=192.168.1.1
service_account_username=name
service_account_password=password
search_dn=CN=Users,DC=corp,DC=domain,DC=com
security_group_dn=CN=VPNUsers,CN=Users,CN=corp,CN=domain,CN=com

Any help you can offer up would be much appreciated :).

Les

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎11-16-2018 02:32 PM

A quick thought is to try it without the security_group_dn specified.

Second thought - are you assigning access profiles based on LDAP group membership? RADIUS using ad_client won’t be able to return groups info from AD to your UTM.

If that’s the case, please contact Duo Support for 1:1 assistance.

Duo, not DUO.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎11-16-2018 02:32 PM

A quick thought is to try it without the security_group_dn specified.

Second thought - are you assigning access profiles based on LDAP group membership? RADIUS using ad_client won’t be able to return groups info from AD to your UTM.

If that’s the case, please contact Duo Support for 1:1 assistance.

Duo, not DUO.
0 Helpful

Go to solution
Jeremy_Kennedy
Level 1
Level 1

‎08-30-2022 08:57 AM

what was the actual solution? I have the same issue

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Jeremy_Kennedy

‎08-31-2022 03:13 PM

Are you also assigning access profiles based on LDAP group membership? It’s still the case that this can’t be passed through the Duo Authentication Proxy in an ad_client + radius_server_nnn configuration.

To elaborate further on solutions for this, one could either switch to an all LDAP config with ad_client+ldap_server_auto for getting a user’s group memberships, or an all RADIUS config with radius_client and radius_server_nnn with NPS used as the primary RADIUS auth server and configuring it to pass through group information from AD as a RADIUS attribute. This article mentions passing group info to FortiGate devices but the gist would apply to your Sophos device as well.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents