Duo authentication with local user database Sophos XG

er_nof · ‎04-08-2021

hello everyone , i would like to know if it is possible to implement Duo authentication proxy to authenticate with local user database in sophos xg appliance instead active directory and radius server.

regards,
ernof

DuoKristina · ‎04-08-2021

No, there is no way to point the Duo Authentication Proxy to your local Sophos XG user database for primary authentication.

What is possible though, if the Sophos XG supports chained authenticators (so you could have separate primary and secondary authentication, and success for the first is required before it will move on to the second), is to point primary authentication to your local database and then add the Duo proxy as a RADIUS server for secondary authentication only with the [radius_server_duo_only] configuration. In this configuration the Duo proxy only performs 2FA.

It isn’t clear if the XG can support this though. Looking here it says “When more than one server is selected, the authentication request is forwarded in the order indicated.” which could mean it isn’t chaining authentication servers, but that it will try the servers until one works, and then stop. Verify the authentication server capabilities of the XG with Sophos.

Duo, not DUO.

er_nof · ‎04-09-2021

Hi DuoKristina,

Thank you for the confirmation and i will check if my customer’s sophos xg support chained authenticator or not. Fyi, my customer need duo to add authentication for sslvpn access

Under radius_server_duo_only configuration, i still confused what value should i input at radius_ip_1 and radius_secret_1. For radius_ip_1, is it correct if I put the ip address of the user who is allowed sslvpn access?

DuoKristina · ‎04-09-2021

radius_ip_1 would be the IP address of the device sending an authentication request to the Duo proxy, so it would be the XG’s IP, and radius_secret_1 would be the secret shared with the XG in all RADIUS configurations.

Duo, not DUO.