How to use Azure MFA with Sophos UTM Firewall.
Sophos UTM firewall can be configured to use Azure MFA for Two-Factor authentication.
After installing MFA extension with the help of great guide from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension you only need to define couple of settings in UTM and enable policies in NPS server to get it working.
Unfortunately I only were able to set it up using PAP as authentication method. I believe this is limitation on UTM.
Here are steps I took to accomplish this.
First add your Sophos UTM as RADIUS client on NPS server.
I am assuming that NPS server is located in IP address 192.168.100.100 and Sophos UTM is used as GW for this network with IP address 192.68.100.1
Add Sophos UTM Firewall as RADIUS client. Use UTM’s IP for the network as client IP. Select long shared secret (UTM supports up to 48 characters).
Next create connection request policy for the UTM.
Select Authenticate requests on this server.
Under conditions add UTM’s IP as Client IP
Leave rest of the settings as default.
Next you’ll have to create Network policy for SSL VPN authentication traffic.
I created one policy for each service I want to use radius authentication.
Again we’ll use UTM’s IP as client IP and I also added user group check for VPN enabled users. use ssl as NAS identifier.
Under Authentication Methods only select PAP. Select NO on security warning.
Leave rest of the settings as default.
Now login to UTM and navigate under Definitions & Users -> Authentication Services -> Servers
Add new authentication server and select RADIUS as backend type. Select Network Policy server as server or create new network host object.
Use same 48 character shared secret. Extend advanced settings and change timeout to 60 seconds.
You can see Nas-Identifiers used by services from the Nas-Identifier dropbox.
Thats it. Now you should have Azure MFA enabled SSL VPN set up. To enable MFA for other services just create another network policy and use different Nas-Identifier.
Hi Ries,
Your article is great ! After some troubleshooting i was able to use this.
My customer however uses ssl vpn profiles with different setups and access to lans.
Our experience is that ad groups do not work anymore, only personal ssl vpn profiles.
I must use of course radius users, but i then loose the advantage of creating different profiles.
Do you have any advice or experience for this ?
Sorry for late reply.
I personally do not use SSL VPN anymore as I prefer IPsec one with Sophos XG FW.
With SSL VPN I used to create ACL rule to allow users (groups) to access different resources via SSL VPN, so I never used different VPN profiles.
Hi kimmo,
We are dealing with the same issue e.g. like having Sophos UTM with Azure MFA on VPN as a security improvement but losing the option to restrict network access per SSL VPN profile like we have now. We have several SSL VPN profiles (staff, external/hired staff and suppliers).
Can you tell me more how you configured 1 SSL VPN profile and the ACLs (AD group based? like we have now) to grant / restrict access to network resources?
This work greatly help us. As your article already did on using Azure MFA on Sophos VPN. Thank you.
Sorry for late reply. Basically I simply created FW rules so that members of different groups get access to different resources.
https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/108978/active-directory-authentication-and-firewall-rules
Thank you for still replying kimmo. This interesting.
We have configure this a bit different as far as I can see. We have setup the NPS server with Azure MFA NPS extension like in your tutorial. I added 1 SSL VPN profile with Radius user as group and disabled automatic firewall rules. Then created different firewall rules per profile (colleague/hired staff / suppliers). We used the user objects as sources and defined the destinations. That works. We didn’t manage to get this working with AD groups. To get a cleaner overview we created network groups and added the user object to it (a user group did not work). This seems to work but still involves manual changes. AD groups would certainly be helpful.
So you suggest that this should work by referring to the post.
Should this also work in combination with the RADIUS / Azure MFA NPS extension?
We do not have AD SSO enabled. Is that an issue?
I got this to work with the Microsoft Authenticator app. (Push notification approve/decline).
Is there any way to make codes work for One-time passwords via SMS? I don’t see a way to make users enter the OTP code.
Greetings,
David Bekker
No unfortunately only push message and phonecall are supported.