With version 18 Sophos brings changes to RADIUS settings on XG Firewall. We now have possibility to set timeout for authentication and this allows us to use Azure MFA for 2-factor authentication.
Here is few simple steps how to enable this on network policy server and on XG Firewall.
If you do not have MFA enabled for your Office 365/Azure AD account you can enable it trough following link https://aka.ms/mfasetup
Remind that Network policy server with Azure MFA extension redirects all requests to Azure. Server cannot be used for any other kind of authentication (I.e. 802.1x) after enabling extension.
1. Install Network Policy Server role on Windows server. I installed mine on my LAB Domain Controllers.
2. Install Azure MFA extension and configure it. Follow guide from Microsoft to enable it.
3. Create new RADIUS client with IP address of the Sophos XG Firewall.
4. Create new Connection request policy.
5. Create new Network Policy
6. Create firewall rule on RADIUS Server to allow connections from Firewall.
7. Add authentication server in Sophos XG Firewall.
8. Test authentication trough RADIUS.
9. Select where you want to use RADIUS as authentication back-end.