SOPHOS UTM: Use Azure MFA for SSLVPN and Userportal

Some of the things that I’ve seen at work, is that Sophos UTM VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:

Microsoft Authenticator beta app for iOS and Android updated with ...

Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution 🙂

Here is the auth flow for Azure MFA with NPS Extension:

Nice isn’t it 😉

So how to fix?

We setup Sophos UTM for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that 🙂

To get started:

  • If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
  • And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working 🙂

Let’s go:

  1. Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!
    Press “Next” and the installation begins:
  2. After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):

  3. Download and install the NPS Extension for Azure MFA here:
    https://www.microsoft.com/en-us/download/details.aspx?id=54688
    After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
  4. Go and configure your radius Client, here it’s the UTM:


    Remember the secret, we need it later on 🙂

  5. Create a “Connection request policy”:

    See above the NAS Identifier, it’s “ssl”, it’s taken from this scheme:


    Found here: https://community.sophos.com/kb/en-us/116144

    Just set like above, and the rest of the settings, just leave them to their defaults 🙂

  6. Now create a “Network Policy”
    Add a domain group, that shall have this access, to simplify, here I have choose domain\Domain Users
    Now the EAP types, UTM does only support PAP, as far as I have tested:


    You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
    Just left the rest to their default’s and save the policy.

  7. Now to create a firewall rule:

  8. Now to setup the UTM for this:

    Add new Authentication server:

    Remember to choose RADIUS:


    Fill in as your environment matches:

    Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!

    You can now test is the authentication through NPS and Azure MFA is working, change NAS-Identifier to “ssl” type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator 🙂

  9. Now to grant the RADIUS users access to SSL-VPN

    Just add the built-in object “Radius Users” to your SSL-VPN profile:

  10. Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
  11. Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN 🙂

Sources:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

7 Comments

  1. Thorsten Sult

    Great job, thank you very much.

    Reply
    1. Martin (Post author)

      Thanks Thorsten 🙂

      Reply
  2. John Stelman

    This is great but got stuck on error when testing from UTM. I have timeout set to 15 seconds, and tried 30 seconds too. Google hasn’t been much help – “failed to recv packet from radius server: timed out waiting for packet” – any pointers appreciated. thx!

    Reply
    1. Martin (Post author)

      Hi, thanks for your reply 🙂
      As the errer states, the RADIUS server does not respond, so check:
      1) Firewall rules on the radius server
      2) Have you setup the correct radius secret and corret UTM IP on the radius server? 🙂

      Reply
      1. John Stelman

        Yes, I have everything set but get this in Event Viewer->Security Events:
        Network Policy Server discarded the request for a user.

        Contact the Network Policy Server administrator for more information.

        User:
        Security ID: AD\testaccount
        Account Name: testaccount@{mydomain}.com
        Account Domain: AD
        Fully Qualified Account Name: ad.{mydomain}.com/{myAD}/Users/Test Account

        Client Machine:
        Security ID: NULL SID
        Account Name: –
        Fully Qualified Account Name: –
        Called Station Identifier: –
        Calling Station Identifier: –

        NAS:
        NAS IPv4 Address: –
        NAS IPv6 Address: –
        NAS Identifier: ssl
        NAS Port-Type: –
        NAS Port: –

        RADIUS Client:
        Client Friendly Name: Sophos UTM
        Client IP Address: 10.0.0.1

        Authentication Details:
        Connection Request Policy Name: Use Windows authentication for all users
        Network Policy Name: Sophos UTM Network Policy
        Authentication Provider: Windows
        Authentication Server: OS-DC-01.ad.{mydomain}.com
        Authentication Type: PAP
        EAP Type: –
        Account Session Identifier: –
        Reason Code: 9
        Reason: The request was discarded by a third-party extension DLL file.

        Reply
  3. John Stelman

    After posting I noticed the connection policy being used. I have two policies. I disabled the ‘use windows authentication for all users’ policy and now the event log just has a blank value instead of my enabled’Sophos UTM Policy’. and the Reason code has changed to 21 with “An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”

    Reply
  4. John Stelman

    I figured this out. I had to add users to the Azure Multi-Factor Authentication app in Azure AD Enterprise apps. It had no members by default.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close