Sophos Firewall - RADIUS Configuration - Cloud Authentication Service - RSA Ready Implementation Guide
10 months ago

This article describes how to integrate Sophos Firewall with RSA Cloud Authentication Service using RADIUS.

  
Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service (CAS) using RADIUS.

Procedure

  1. Sign in to RSA Cloud Authentication Service.
  2. Navigate to Authentication Clients > RADIUS.
  3. Click Add Radius Client and Profiles.
  4. On the RADIUS Client page, enter the following details:
    1. Name: A descriptive name for the RADIUS client.
    2. IP Address: The IP address of the RADIUS client (Sophos Firewall).
    3. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
  5. Click Save and Next Step, and then click Finish to complete the configuration.
  6. Click Publish Changes to apply your changes to the RADIUS server and wait for the process to be completed.

  

Notes

  • The RSA Cloud Authentication RADIUS server is configured to listen on UDP port 1812.
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

   

Configure Sophos Firewall 

Perform these steps to configure Sophos Firewall as a RADIUS client to CAS.
Procedure

  1. Log in to the Admin portal of Sophos Firewall.
  2. In the left pane, select Authentication.
  3. On the Authentication tab, choose Add to add a new RADIUS authentication server.
  4. On the Add external server screen, fill in the required details:
    1. Server type: Choose RADIUS server in the drop-down list.
    2. Server name: Choose a name for the RADIUS server.
    3. Server IP: The IP address of the RADIUS server. This should be the Management port of the identity router (IDR) configured in CAS.
    4. Time-out: Increase the timeout to 15 seconds.
    5. Shared secret: Choose the same secret as the one configured earlier in RSA.
    6. Group name attribute: This field specifies which RADIUS attribute Sophos should read to determine the user’s group membership. It allows dynamic user-to-group mapping based on RADIUS responses. This helps apply that group’s access controls, time policies, and bandwidth.
  5. Click Test connection.
  6. Once the test is successful, click Save.
  7. Under Authentication, navigate to the Services tab. 
  8. Depending on your organization’s specific use case, edit the Authentication methods to include the newly created RADIUS server from the Authentication Server list under Selected authentication server. You can change the priority of the authentication methods by reordering them in the list.
  9. To configure Sophos Firewall for SSL VPN usage, an SSL VPN policy should be created to control remote VPN connections, the resources they are allowed to access, and how they will be authenticated to the VPN.
    To configure SSL VPN:
    1. In the left pane, select Remote access VPN
    2. Click the SSL VPN tab and click Add.

    3. Follow the instructions provided on the screen for your preferred configurations and access restrictions. In Step 3, choose your desired users or groups that will be allowed to connect to the VPN and hence authenticate with RSA.
    4. In Step 4, Authentication servers (global setting), choose the configured RSA RADIUS server as the method for authentication for the SSL VPN by clicking the Set authentication method for SSL VPN radio button, and click Next.
    5. Complete the rest of the steps, review the settings, and click Finish. Your SSL VPN is ready now for use, authenticating via RADIUS with RSA.

The configuration is complete.

     

Configure LDAP Server as a Fallback Authentication Mechanism 

In situations where the CAS or IDR is temporarily unavailable or fails to respond, it is crucial to maintain a continuous user authentication capability. As a backup, Sophos Firewall enables you to set up an LDAP server that can serve as a fallback authentication source. This section outlines how to configure and enable an LDAP server in Sophos Firewall. 

Perform these steps to configure an LDAP Server in Sophos Firewall.

Procedure

  1. Log in to the Admin portal of Sophos Firewall. 
  2. In the left pane, select Authentication
  3. On the Authentication tab, click Add to add a new LDAP authentication server. 
  4. Configure LDAP server settings:
    1. Server type: Select Active Directory or LDAP as applicable.
    2. Server name: A name for the LDAP server (for example, LDAP_Fallback). 
    3. Server IP/domain: Enter the IP address or FQDN of the LDAP server.
    4. Connection security: Choose SSL/TLS (recommended for secure connections).
    5. Port: Defaults to 636 when using SSL/TLS. Change only if your LDAP server uses a non-standard port.
    6. NetBIOS domain: Enter the NetBIOS name of your domain (for example, CORP). 
    7. ADS user name: Provide a bind user with directory query permissions (for example, ldapbinduser or CORP\ldapbinduser).
    8. Password: Enter the bind user’s password.
    9. Validate server certificate: Enable this option only if your LDAP server uses a trusted certificate and validation is required.
    10. Display name attribute: (Optional) Enter an LDAP attribute to display usernames (for example, displayName). 
    11. Email address attribute: Defaults to mail. Modify if your directory uses a different attribute.
    12. Domain name: Enter the FQDN of your domain (for example, corp.example.com).
    13. Search queries: Specify the LDAP search base(s) and filter(s) to locate users or groups. For example: CN=Users, DC=corp, DC=example, DC=com. You can click Add to add multiple search queries.  
  5. Click Test connection to verify communication with the LDAP server.
  6. When the test succeeds, click Save

    

Add LDAP to Authentication Services 

After configuring the LDAP server, you need to assign it to the authentication services. 
Procedure 

  1. Log in to the Admin portal of Sophos Firewall. 
  2. In the left pane, select Authentication > Services. Under the Authentication Server for Services section, the categories are displayed: Firewall Authentication, User Portal, VPN Portal, 
    VPN (IPsec/dial-in/L2TP/PPTP) .
  3. For each relevant service, do the following:  
  4. Select the checkbox corresponding to the name of your LDAP server.
  5. Move the newly created LDAP_Fallback server to the list of Selected Servers. Make sure it is listed after the primary RSA RADIUS server (to maintain priority).
  6. Click Apply

  

Verify LDAP Fallback Authentication 

To confirm proper fallback behavior: 

  1. Simulate RSA/IDR unavailability (for example, disable RADIUS in IDR Cluster in RSA) temporarily.
    1. Sign in to RSA Cloud Authentication Service.
    2. Navigate to Platform > Clusters.
    3. Locate the cluster that hosts your IDR configured in Sophos as a RADIUS Server and click Edit
    4. Clear the Enable the RADIUS service on all identity routers in the cluster checkbox.
    5. Click Save and Finish, and click Publish Changes
  2. Attempt user login using credentials that exist in the LDAP directory. 
  3. Confirm successful authentication via LDAP and check logs under Log viewer
    1. Log in to the Admin portal of Sophos Firewall.
    2. In the top pane, click Log Viewer
    3. Choose Authentication to view all authentication attempts. 

Related Articles

Trending Articles

Don't see what you're looking for?