Sophos XG SSL VPN - RADIUS integration
This documentation describes how to configure Sophos XG SSL VPN with inWebo RADIUS connector.
Prerequisites
An administrator access to your Sophos XG firewall,
An administrator access to your inWebo account,
You should allow UDP traffic in port 1812 from Sophos XG firewall to inWebo Radius server.
Step 1: configure inWebo Radius Connector
Log in to the inWebo administration console http://www.myinwebo.com/console.
Go to Secure site tab > Connector > Add a connector of type Radius Push
Specify the settings:
Setting | Description |
---|---|
IP Adresses | IP of the public interface of your Sophos XG server (or NAT address if behind a firewall) |
Radius Secret | Secret shared between Sophos XG and the inWebo Radius server It will be used in the Sophos configuration |
Click on Add.
Any modification made to your radius configuration will be applied within the next 15 minutes.
Step 2: configure the Sophos XG SSL VPN
Add a new Radius server
Go to Authentication > Servers and click Add
Specify the settings:
Use the default value for any setting not listed below.
Setting | Description |
---|---|
Server type | RADIUS server |
Server name | inWebo_RADIUS |
Server IP | inWebo provides two Radius server pool. Each radius server pool load-balance the workload on several radius servers located in different datacenters:
|
Enable accounting | empty |
Accounting port | empty |
Shared secret | <inWebo RADIUS server shared secret> (The shared secret that is configured on the inWebo Radius connector) |
Group name attribute | any |
Click on Test connection to validate the user credentials and check the connection to the server.
Click on Save.
Set authentication method for VPN SSL
To query the inWebo radius server, you should set it as authentication method for SSL VPN.
Go to Authentication > Services
Check that the SSL VPN authentication methods have been set on the inWebo RADIUS server and that it is at the top of the list.
Click on Apply
Testing inWebo authentication with SSL VPN client
In this test, the user account of test is “mytest”.
This account was previously registered in inWebo and exits in Sophos repertory as well. Furthermore, it has an inWebo Authenticator enrolled (mobile/desktop).
Check that the user test is added in the Policy Member of the SSL VPN (remote access):
Go to VPN > SSL VPN (remote access) > Identity > Policy members > Add new item (if the user is not present)
Enter your login (mytest) and an OTP as a password in Radius standard mode or a random character in Radius "push" mode.
In Radius push mode, user receives a notification on his mobile/desktop device. User enters his PIN code (second factor authentication) to generate an OTP.
User is connected