rieskaniemi.com

yet another it blog

Azure MFA NPS extension with Sophos UTM Firewall.

Sophos Logo

Sophos UTM firewall can be configured to use Azure MFA for Two-Factor authentication.

After installing MFA extension with the help of great guide from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension you only need to define couple of settings in UTM and enable policies in NPS server to get it working.

Unfortunately I only were able to set it up using PAP as authentication method. I believe this is limitation on UTM. 

Here are steps I took to accomplish this.

First add your Sophos UTM as RADIUS client on NPS server.

I am assuming that NPS server is located in IP address 192.168.100.100 and Sophos UTM is used as GW for this network with IP address 192.68.100.1

Add Sophos UTM Firewall as RADIUS client. Use UTM’s IP for the network as client IP. Select long shared secret (UTM supports up to 48 characters).

Next create connection request policy for the UTM. 

Select Authenticate requests on this server.

Under conditions add UTM’s IP as Client IP

Leave rest of the settings as default.

Next you’ll have to create Network policy for SSL VPN authentication traffic.

I created one policy for each service I want to use radius authentication.

Again we’ll use UTM’s IP as client IP and I also added user group check for VPN enabled users. use ssl as NAS identifier.

Under Authentication Methods only select PAP. Select NO on security warning.

Leave rest of the settings as default.

Now login to UTM and navigate under Definitions & Users -> Authentication Services -> Servers

Add new authentication server and select RADIUS as backend type. Select Network Policy server as server or create new network host object.

Use same 48 character shared secret. Extend advanced settings and change timeout to 60 seconds.

You can see Nas-Identifiers used by services from the Nas-Identifier dropbox.

Thats it. Now you should have Azure MFA enabled SSL VPN set up. To enable MFA for other services just create another network policy and use different Nas-Identifier.

Tagged , ,

4 thoughts on “Azure MFA NPS extension with Sophos UTM Firewall.

  • Hi Ries,

    Your article is great ! After some troubleshooting i was able to use this.
    My customer however uses ssl vpn profiles with different setups and access to lans.
    Our experience is that ad groups do not work anymore, only personal ssl vpn profiles.
    I must use of course radius users, but i then loose the advantage of creating different profiles.
    Do you have any advice or experience for this ?

    1. Sorry for late reply.
      I personally do not use SSL VPN anymore as I prefer IPsec one with Sophos XG FW.
      With SSL VPN I used to create ACL rule to allow users (groups) to access different resources via SSL VPN, so I never used different VPN profiles.

  • I got this to work with the Microsoft Authenticator app. (Push notification approve/decline).

    Is there any way to make codes work for One-time passwords via SMS? I don’t see a way to make users enter the OTP code.

    Greetings,
    David Bekker

Leave a Reply

Your email address will not be published. Required fields are marked *