Inspiration for this post, was taken from: https://rieskaniemi.com/azure-mfa-with-sophos-xg-firewall/
Some of the things that I’ve seen at work, is that Sophos XG VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:
Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution π
Here is the auth flow for Azure MFA with NPS Extension:
Nice isn’t it π
So how to fix?
We setup Sophos XG for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that π
To get started:
- If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
- And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working π
Let’s go:
- Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!
-
Press “Next” and the installation begins:
- After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):
- Download and install the NPS Extension for Azure MFA here:
https://www.microsoft.com/en-us/download/details.aspx?id=54688
Note: As i did try this on a server with already setup NPS, it failed with the other mechanisms, because of this:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa”Control RADIUS clients that require MFA
Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.
Configure RADIUS clients that you want to require MFA to send requests to the NPS server configured with the extension, and other RADIUS clients to the NPS server not configured with the extension.”
So the “workround” is to run the MFA for the Sophos on a seprate NPS instance π
- After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory - Go and configure your radius Client, here it’s the XG:
Remember the secret, we need it later on π
- Create a “Connection request policy”:
Type here the IP of the XGJust set like above, and the rest of the settings, just leave them to their defaults π
- Now create a “Network Policy”
Add a domain group, that shall have this access, to simplify, here I have choose domain\Domain Users
Now the EAP types, XG does only support PAP, as far as I have tested:
You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
Just left the rest to their default’s and save the policy. - Now to create a firewall rule:
- Now to setup the XG for this:
Press ADD:
Remember to choose RADIUS:
Fill in as your environment matches:
Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!
You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”
Press the TEST CONNECTION butoon:
type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator π
You should see this soon after you accept the token:
- Now head over to the Authentication –> Services section:
Add the new RADIUS server to:
– User portal authentication methods
– SSL VPN authentication methods
Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:
- Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
- Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN π
UPDATE: 20/11-2023
Due to recent changes in the module and Entra, you will need to add this in the registry of the NPS server:
- On the NPS Server, open the Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
- Create the following String/Value pair:
- Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
- Value = FALSE
- Restart the NPS Service.
Sources:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices
https://community.sophos.com/kb/en-us/127328
Thanks so much for the guide. It’s very useful and everything is working.
However, login to the user portal doesn’t work.
Also as users don’t usually have admin rights to install software, is it possible to deploy remotely the client and its settings?
many thanks
Hi,
You may look into which users have rights for the userportal, tryk with ANY to get started, I think you have other groups than ad / radius maybe? π
You can deploy via GPO, you can use the Sophos Connect VPN vcleint if you are on the way to SFOS? π
https://martinsblog.dk/sophos-connect-migration-script-from-utm-sslvpn/
Regards Martin
Hi. nice howto and very appreciated ! however, im stuck at testing connection when adding server in XG. I get error on the NPS, stating : an extension DLL rejected the connection request. I would have 1st testing the connection before installing the MFA ext, unsucessful, nps was saying there was mismatch or non existing user.
What exactly is the SF_Auth attribute ? how could have test the same setup without MFA enable ?
Got it from here:
https://support.sophos.com/support/s/article/KB-000036916?language=en_US
Add the Filter-Id attribute value needed to meet your network security requirements. In this example, the Filter-Id value is set to SF_AUTH which is used in Group Name Attribute when adding an external RADIUS server in Sophos Firewall.
Any help? π
Hi Martin,
thank you for the tutorial. In my test environment I implemented it and it looks good up to the step that it sends me the request to the smartphone. Unfortunately I can’t use the latest Sophos Connect VPN client with it. With the old Sophos VPN client the request comes and often you have to do the login twice until the connection is established. Remedy is then in the Config file to set the value “route-delay” from 4 to 2 down. Nothing helps with Sophos Connect.
Do you have an idea for this?
Thank you in advance.
Many greetings
Alex
Hi Alex,
Funny it is, I have it working fine with the old client and Sophos Connect, no double confirmations needed.
Have you set the readius timeout to a higher value than standard? 15 sec+
Hi Martin,
thank you for the super fast feedback.
Are you on the Sophos community as “twister5800”?
Would then continue the question in the community. π
It’s really crazy. Everything works for me. On the Sophos XG the test runs through and I can use the MS Auth. to confirm the login and get a response. Same with the Sophos Connect client, however it then also runs auth-failure and you can see in the log that it tries twice. I have the impression, whether Sophos Connect or the old Sophos SSL VPN client. Both try to reconnect way too fast and then run into an error. With the old client helps as already written, the entry route-delay 2. But the solution is also not nice.
I have now tested the timing of 5-30 sec through all the same problem.
Without MFA against Active Directory it works immediately.
Let’s see if the Sophos community has a tip for this.
Many greetings
Alex
Hi Alex,
yes it’s me π
Try to run ALL the points in the guide through, just a minor click the wrong place, can make it all fall apart π
Also remember under authentication SSLVPN put the RADIUS server on the top of the list.
OK with community π
Regards Martin
Hi Martin,
thank you. I have dopple checked now every step. No idea more.
Let`s try the Community.
Thank you very much.
Regards
Alex
Hi Martin,
I have just solved my problem. See Sophos Community for details. Thank you anyway for your support.
Many greetings
Alex
Dear Martin,
Hope you’re doing well. I found you on Google π And also go ahead with your nice tutorial about MfA via Azure on our Sophos XGS Firewall (19.5). I’ve exactly the same issue as Alex had last year. Can’t pinpoint the pain. Could you please help me out? I think I’m almost there. Radius is working, but I do not get a MfA request on Authenticator APP. All the stuff in the Azure Portal is setup correctly. Many thanks in advance.
Regards
Matthias
Hi,
Sorry for the delay, have been on vacation π
have you run the powershell script?
Do your NPS log say anything?
best regards
Martin
With onpremise server this is working perfect. Trying to migrate to an azure vm now but the the source ip comes with 169.254.0.1 and nps is giving error: A RADIUS message was received from the invalid RADIUS client IP address 169.254.0.1 looks like everything is configured correct.
Thanks for this blog post, has worked great since I first implemented it, but after upgrading XGS firmware from v19 to v20.02 I am now having toruble. I get the MFA prompt and accept but it no longer authenticates the ssl client or VPN portal. Have you experienced any issues with the v20 firmware updates after the added the VPN portal in addition to the User Portal?
Hi,
What does the authetication log say?
What about the NPS log?
Best regards
MArtin
Well I thought I was out of the woods, but it has stopped again. Now I get intermittant logins, mostly failed with the error “User xxx failed to login to VPN portal through RADIUS authentication mechanism because of no remote access VPN policy”. However, all users have a policy assigned, so this error is apparantly some sort of mismatch. Radius test connection works fine with same accounts, but not VPN portal of ssl vpn. If I add the user account as a local account and assign the policy to that local account, then it works, but that just makes no sense?
OK – remember to set the same authentication in the firewall for BOTH VPN portal AND SSL VPN π
Best regards
Martin
Have you ever seen this error from the NPS server? – ” Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.”
I checked the version of the Azure plugin and made sure it was up to date.
Hi,
Yes many times π
Please check the Windows event log:
Custom views –> Server Roles –> NPS
Anything?
Best regards
Martin
Thanks Martin. I opened a ticket with Sophos and it seems to be a problem with how Sophos is determining wether an authenticated user belongs to a group or not. Here is a post that describes the issue and potential resolution though in my case I have not resolved, but I have used the workaround of changing the default group assigned if none detected from the Radius authentication for now. What seems to be at the heart of “why now” is that the default behavior changed with v20MR1 firmware release. The description in the post lists the following –
Fix in v20MR1 is to resolve this issue:
– Radius server should respond with a list of Groups via any defined attribute e.g. Filter-ID.
– SFOS Radius server should have the same attribute set for βGroup name attributeβ.
– Group should pre-exists in firewall to map user correctly in those groups.
– In case group is not available in firewall user will fall in default group configured.
In my case, the firewall is not detecting the Group membership for users and is assign the default “open Group” which had not policy assigned. Apparantly, prior to this firmware, the default behavior was to leave the user in the group they were already a member of, so it did not change user when Radius authentication was used, but now it does.
So ultimately, it has nothing to do with the Azure MFA plugin or configuration, except perhaps the “Group name attribute” config, which is supposed to match the group name and ” Filter-ID” attribute in the Radius server network policy.
https://community.sophos.com/sophos-xg-firewall/f/discussions/147249/sophos-xg-does-not-recognize-user-group-returned-by-nps-radius-server
Thnaks for showing this, did not know about it actually π
Are you on v20MR1?
Actually, we went straight from v19 to MR2.
OK, glad it worked π
Best regards
Martin
I believe that the issue was related to the version of Sophos Connect. I was originally having trouble with the 2.2.90 of SC and I realized that the new firmware included a new release, so when I upgraded SC to the newer 2.3.1 it started working again with no issues. Not sure exactly, but seems to be OK now. Thanks for the followup.
Great! π
Yes there are some updates to the ciphers in the OpenVPN agtent, maybe this caused the issue.
But glad to hear.
have a great weekend π
Best regards
Martin