Duo MFA with Sophos Connect

lord-ingo · 2023-07-25T13:37:39.000Z

Hello fellow Spiceheads! We recently signed up with Duo. Our goal is to roll out MFA and SSO for our organization to cover a lot of different apps. One place we have hit a snag is getting Duo to push approvals for my VPN users using Sophos Connect. We run an Sophos XGS firewall with the latest firmware 19.x.

We have the Duo authentication proxy installed and working for Microsoft RDS. We have NPS setup on another server to support RADIUS for this project. All servers are Server 2019.

I’ve consulted all the guides/documentation/posts on both Duo and Sophos sites but can’t seem to figure out how to trigger that last step: When a user logs in via Sophos Connect, I want them to be pushed for an Approval on their Duo app or have to enter a code.

Has anyone had luck with this setup and be willing to share what they did to get this working?

@Duo_Security

kevinhsieh · 2023-07-25T15:54:27.000Z

I haven’t setup Duo or Sophos Connect. But I do have push authentication working for other VPN using RADIUS.

Point VPN the MFA RADIUS proxy. The proxy points to NPS. When authenticating, VPN contacts proxy which talks to NPS. If NPS auth is successful, the proxy then does the push MFA. If push MFA is successful, reply back to VPN. Set VPN RADIUS timeout to something like 30 seconds.

lord-ingo · 2023-08-01T12:36:14.000Z

Thanks kevinmhsieh!

That is the way things are set up - basically. We’re just not getting communication. As I’m learning from all the Sophos community posts, it has it’s own nuances and I’m fairly certain the issue lies there.

Still working on it.

rossbaines · 2023-08-30T12:55:08.000Z

I have this working on a Sophos XG, have you added your Duo Proxy server as a radius server in Sophos ?

This is DUO’s setup guide for Sophos UTM, it’s pretty much the same for XG Duo Two-Factor Authentication for Sophos UTM | Duo Security

lord-ingo · 2023-08-30T13:21:06.000Z

Thanks Ross2814, I appreciate the reply. Everything I’ve found so far has pointed to the 3 ways to setup Sophos Firewall 18 with Duo MFA in the Sophos Community, and I’m just not getting it to work. I did follow the Duo Guide but only after setting up all the other items on the aforementioned guide

What firmware version are you running on the XG?
Did you use Sophos UTM or Radius Server as your application in Duo for the ikey and skey?
Did you set up an NPS server on a DC to support this? Did you use some specific instructions to guide you on that?
How did you get your users set up in Sophos Connect? Did you set up a provisioning file or just have them login to the User Portal and download new configuration files.

I apologize for what may seem like bonehead questions. I feel like I missed something or have totally overthought it. This is my first foray into this and its really giving me grief.

rossbaines · 2023-08-30T13:53:33.000Z

No Problem

We’re on SFOS 18.5.4. MR4

RADIUS for the application

We don’t have NPS setup

We actually setup Sophos connect with IPSec so we just distributed the config file (after downloading from the admin portal) but if we had used SSL we would have had users login to the user portal to download.

lord-ingo · 2023-08-30T14:06:26.000Z

Thanks Ross2814. I’m going to make another run at it. We are on v. 19.5.2 MR2

rossbaines · 2023-08-30T14:12:22.000Z

I doubt 19.5.2 will make much difference

In summary (assuming you have the Duo Auth Proxy setup)

From the Duo admin portal
Add a Radius server
note the IKEY, SKEY and API host

Update the Duo proxy auth config with the above

Is Sophos
Add a RADIUS authentication server with the details of the Duo Auth proxy (the test connection button is your friend here)
under Authentication, services, add the auth server just created to whatever services you require to use it. (probably needs to be the firt authentication method)

Good luck !

lord-ingo · 2023-08-30T16:11:13.000Z

Victory! Thanks Ross2814! I clearly did overthink this. Ignore the Sophos guide. Duo support originally told me I could not use Radius Server with AD client in the Auth Proxy and that I had to do either all AD/LDAPS or all RADIUS. That led me down a nasty rabbit hole that had me pounding my head on the wall.

Thanks again for your help. I feel like I owe you a case of scotch.

rossbaines · 2023-09-01T06:02:20.000Z

Great, glad you got it working!

chadpatterson · 2024-04-29T19:24:47.520Z

I must be missing a step somewhere. I have configured the RADIUS server in DUO, updated the proxy auth config and added the RADIUS config in the SGX. Testing from the Sophos works, and I can successfully login to the user portal with a push from DUO, but the SSL VPN will not authenticate. I get the DUO push but when I approve it, the VPN client just goes back to the user/pass prompt. DUO logs show a successful authentication, Sophos authentication logs do not register an attempt at all even though it is obviously failing.

Any thoughts?

lord-ingo · 2024-04-30T15:45:43.007Z

Ok, in your XGS - Go to Authentication → services - Make sure you have your Duo Radius Server (that you set up under listed under Authentication-> Servers)
listed under SSL VPN authentication methods and make sure it is at the top of the list, above local.

Also when you set up the Duo Radius server in Servers–> Authentication were you able to test the connection successfully.

chadpatterson · 2024-05-02T12:35:07.622Z

Thank you for the reply…I finally got it working. My issue turned out to be related to having both RADIUS and AD auth mechanisms for the SSL VPN. This was causing the XGS to create multiple user accounts.

Big thanks to IngoW and Ross2814 for setting me on the right path! Sophos and DUO documentation both severely overcomplicate the process.

lord-ingo · 2024-05-02T16:13:31.415Z

Victory! Glad you solved it and thanks for the udpate!