rieskaniemi.com

yet another it blog

Azure MFA NPS extension with Sophos UTM Firewall.

Sophos UTM firewall can be configured to use Azure MFA for Two-Factor authentication.

After installing MFA extension with the help of great guide from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension you only need to define couple of settings in UTM and enable policies in NPS server to get it working.

Unfortunately I only were able to set it up using PAP as authentication method. I believe this is limitation on UTM. 

Here are steps I took to accomplish this.

First add your Sophos UTM as RADIUS client on NPS server.

I am assuming that NPS server is located in IP address 192.168.100.100 and Sophos UTM is used as GW for this network with IP address 192.68.100.1

Add Sophos UTM Firewall as RADIUS client. Use UTM’s IP for the network as client IP. Select long shared secret (UTM supports up to 48 characters).

Next create connection request policy for the UTM. 

Select Authenticate requests on this server.

Under conditions add UTM’s IP as Client IP

Leave rest of the settings as default.

Next you’ll have to create Network policy for SSL VPN authentication traffic.

I created one policy for each service I want to use radius authentication.

Again we’ll use UTM’s IP as client IP and I also added user group check for VPN enabled users. use ssl as NAS identifier.

Under Authentication Methods only select PAP. Select NO on security warning.

Leave rest of the settings as default.

Now login to UTM and navigate under Definitions & Users -> Authentication Services -> Servers

Add new authentication server and select RADIUS as backend type. Select Network Policy server as server or create new network host object.

Use same 48 character shared secret. Extend advanced settings and change timeout to 60 seconds.

You can see Nas-Identifiers used by services from the Nas-Identifier dropbox.

Thats it. Now you should have Azure MFA enabled SSL VPN set up. To enable MFA for other services just create another network policy and use different Nas-Identifier.

Tagged , ,

Leave a Reply

Your email address will not be published. Required fields are marked *