SSL VPN Sophos UTM - RADIUS integration

Prerequisite

• Sophos UTM

• inWebo account

Note: the following configuration and screnshots are based on Sophos UTM 9.5

Configure the RADIUS server (UTM)

1. Navigate to Definition & Users > Authentication Services > Servers tab

2. Click + New authentication Server

3. Fill in the parameters as shown below:

   • Backend: RADIUS

   • Position: Top (after saving this form, it becomes 1)

   • Server: Define the inWebo Radius Server

     1. Name > Define a name for the inWebo Radius server authentication

     2. Type > Host

     3. IPv4 address > enter inWebo Radius server IP addresses (see below)

     4. Click on Save

   • Port: 1812 (default port)

   • Shared Secret: Enter the Radius secret shared with inWebo 

4. Authentication timeout (sec): the expiration time must be sufficient for authentication to be completed. We recommend to set this value to 60 in order to let user to grab his handle his mobil phone en validate the authentication

5. Click on Save

inWebo RADIUS authentication server

Fill the indication for your inWebo RADIUS authentication servers.

inWebo Radius server addresses :

• Primary: radius-a.myinwebo.com (95.131.139.137)

• Secondary: radius-b.myinwebo.com (217.180.130.59)

(See RADIUS integration and redundancy for additional details and configuration)

Configure the inWebo RADIUS connector

1. Log in to the inWebo administration console https://www.myinwebo.com/console

2. Navigate to the Secure site tab

3. Add a Radius Push connector in the Connectors section

4. Fill in the parameters as shown below:

   • IP Address: fill with the IP of the public interface of your Sophos UTM 9 (or NAT address if behind a firewall)

   • Radius secret: it is a secret shared between Sophos UTM and the inWebo Radius server

5. Click on Add

Please note that "any modification to the configuration of your RADIUS connector will be applied within the hour".

Activate User Portal

1. Navigate to Management > User Portal > Global tab

2. Add Allowed Networks: Networks authorized to access the end user portal
   

3. Click on Apply

Configure the Sophos UTM User Portal to use inWebo

1. Navigate to Definition & User > authentication Services > Global Settings tab

2. Activate "Create users automatically" in the Automatic User Creation section and click Apply

3. Enable End-User Portal in the "Automatic User Creation for facilities" section and click Apply

Configure SSL VPN to use inWebo

1. Navigate to Remote Access > SSL > Profile

2. Click on New Remote Access Profile

3. Make the following setting:

   • Define a profile name

   • User and Groups: Radius Users

   • Local Network: Local networks which should be accessible for the selected SSL clients via the SSL VPN tunnel

4. Click Save

Configure the SSL VPN client in Windows environment

1. Log in with an inWebo authenticated account via the Sophos UTM User Portal

2. Navigate to the Remote Access tab

3. Download and install the client package

Testing RADIUS inWebo authentication with the SOPHOS user portal

To test your setup, attemp to log in to Sophos User Portal as a user enrolled in inWebo with an authentication device (mobile or desktop token).

Indicate your login (username) and a correct OTP in Radius standard mode or a random character in Radius "push" mode.

In Radius push mode you'll receive a notification on your mobile/desktop device as you can see in the screenshot below:

Testing RADIUS inWebo authentication with the SOPHOS SSL VPN client 

To test your setup, attemp to log in to Sophos SSL VPN client as a user enrolled in inWebo with an authentication device (mobile or desktop token).

Enter your login (username) and an OTP as a password in Radius standard mode or leave the password empty in Radius "push" mode.

In Radius push mode you'll receive a notification on your mobile/desktop device as you can see in the screenshot below: