Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.
RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions. Acceptto offers a simple solution for adding MFA to Sophos XG Firewall via its Radius solution. This step by step integration instruction illustrates how to configure both SSL VPN and IPSec VPN on Sophos XG Firewall and Acceptto RADIUS MFA authentication solution.
- An Acceptto RADIUS Agent that is configured and connected to your user directory (e.g. Microsoft™ ‘Active Directory™’. See this page for the instruction).
- A user with administrative privileges for the Sophos admin panel.
To integrate Acceptto with your Sophos Firewall, you will need to install an Acceptto RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Sophos Firewall, check with LDAP server to perform primary authentication, and then contact Acceptto cloud service for secondary authentication.
Login to the Acceptto RADIUS Agent with an administrative user and open the radius-agent-config.env file with an editor. It is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.
Go to the bottom of radius-agent-config.env file and change the ARA_CLIENTS attribute as follows. The values should be separated by semicolons (;).
ARA_CLIENTS = An optional name for your sophos; Internal IP address of your Sophos; a shared secret
An example configuration might look like this:
ARA_CLIENTS = Sophos;192.168.1.50/32;testing12345
Save the file and run the following command for set changes:
docker-compose down && docker-compose up -d
Login to the Sophos admin portal (
https://your sophos lan address:4444) with an administrative user.
Navigate to Authentication (under CONFIGURE) .
On the Servers tab click ADD.
Change Server type to RADIUS server and then enter your Acceptto RADIUS Agent information.
After filling all information, click on Test connection to test your configuration.
Note: It is very important that you add LDAP or Active Directory server in the Servers tab to import Groups to Sophos. After adding the AD server, you can import groups with the Import group wizard help that appears by clicking on the import icon on the added active directory server.
Go to Services tab and navigate to VPN [IPsec/L2TP/PPTP] authentication methods. Select the RADIUS-Agent items that have been added before.
Click on Apply. The authentication type for IPSec will change to RADIUS. If you enable and configure IPsec (remote access) in the VPN section, users can connect via Sophos connect with MFA.
For enabling Radius authentication on SSL VPN, go to the Services tab and navigate to SSL VPN authentication methods. Select the RADIUS-Agent items that have been added before.
Click on Apply. The authentication type for SSL VPN will change to RADIUS. If you added and configured SSL VPN (remote access) in the VPN section, users can connect via Sophos connect or Sophos SSL VPN client with MFA.
Notice: To access users on VPN, they must login to the user portal once. The list of users will then appear in the Users tab.
Notice: For login users in Sophos user portal, you must go to Services tab. In Firewall authentication methods, select the Active Directory that was added in the previous section and drag it up to highest priority.
Click Connect on Sophos Client and enter your username and password. You will receive a push notification on your It’sMe mobile application to authorize access to your VPN with IPsec or SSL VPN.
If you require assistance, please email us at email@example.com.
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.