rieskaniemi.com

yet another it blog

Azure MFA With Sophos XG Firewall

Sophos Logo

With version 18 Sophos brings changes to RADIUS settings on XG Firewall. We now have possibility to set timeout for authentication and this allows us to use Azure MFA for 2-factor authentication.

Here is few simple steps how to enable this on network policy server and on XG Firewall.

If you do not have MFA enabled for your Office 365/Azure AD account you can enable it trough following link https://aka.ms/mfasetup

Remind that Network policy server with Azure MFA extension redirects all requests to Azure. Server cannot be used for any other kind of authentication (I.e. 802.1x) after enabling extension.

1. Install Network Policy Server role on Windows server. I installed mine on my LAB Domain Controllers.

Install network policy server role trough server manager.
Remember to register server in Active Directory.

2. Install Azure MFA extension and configure it. Follow guide from Microsoft to enable it.

Download:
https://www.microsoft.com/en-us/download/details.aspx?id=54688

Guide:
https://docs.microsoft.com/bs-latn-ba/azure/active-directory/authentication/howto-mfa-nps-extension

3. Create new RADIUS client with IP address of the Sophos XG Firewall.

Use IP address of the Sophos XG Firewall as client IP. Leave rest of settings as default.

4. Create new Connection request policy.

Named mine Sophos XG FW Crp.
In Conditions add NAS IPv4 address and use IP address of your Sophos XG Firewall. Leave rest of the settings as default.

5. Create new Network Policy

Named mine as Sophos XG FW Np.
I only added one condition being Domain Users group. This could be your VPN allowed users group or similar.
In Authentication methods only select PAP.

6. Create firewall rule on RADIUS Server to allow connections from Firewall.

Use Firewalls IP as Remote IP Address
Procol will be UDP and ports 1812, 1813.

7. Add authentication server in Sophos XG Firewall.

Fill in details as following. Remember to set Time-out setting to 15 seconds (or more) and Group name attribute SF_AUTH.

8. Test authentication trough RADIUS.

Push message received trough mobile.
All good.

9. Select where you want to use RADIUS as authentication back-end.

I selected RADIUS servers as authentication back-end for User portal and VPN.
Tagged

Leave a Reply

Your email address will not be published. Required fields are marked *