Sophos Firewall - RADIUS Configuration - Authentication Manager - RSA Ready Implementation Guide
10 months ago

This article describes how to integrate Sophos Firewall with RSA Authentication Manager using RADIUS.

  

Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager using RADIUS.

Procedure

  1. Sign in to Security Console.
  2. Navigate to RADIUS > RADIUS Servers and make a note of the IP address of the selected RADIUS server. This will be later used in the Sophos Firewall configuration.
  3. Navigate to RADIUS > RADIUS Clients and click Add New.
  4. On the Add RADIUS Client page, enter the following details:
    1. Client Name: Enter a descriptive name for the RADIUS client.
    2. IPv4 Address: Enter the IP address of the RADIUS client (IP address of Sophos Firewall). 
    3. Make/Model: Select Standard Radius in the drop-down list. 
    4. Shared Secret: Create and enter a secure shared secret. This secret will be used for secure communication between the RADIUS client and the RADIUS server.
  5. Click Save & Create Associated RSA Agent.
  6. On the Add New Authentication Agent page, click Save, and then confirm by clicking Yes, Save Agent.

  

Notes

  • RSA Authentication Manager RADIUS server listens on ports UDP 1645 and UDP 1812.
  • The relationship of agent host record to RADIUS client in the Authentication Manager can be 1 to 1, 1 to many, or 1 to all (global).
  • Shared Secret must be an alphanumeric string between 1 and 31 characters in length and is case-sensitive.

   

Configure Sophos Firewall 

Perform these steps to configure Sophos Firewall as a RADIUS client to RSA Authentication Manager.
Procedure

  1. Log in to the Admin portal of Sophos Firewall.
  2. In the left pane, select Authentication.
  3. On the Authentication tab, choose Add to add a new RADIUS authentication server.
  4. On the Add external server screen, fill in the required details:
    1. Server type: Choose RADIUS server in the drop-down list.
    2. Server name: Choose a name for the RADIUS server.
    3. Server IP: The IP address of the RADIUS server. This should be the IP of the RADIUS server on RSA Authentication Manager.
    4. Time-out: Increase the timeout to 15 seconds.
    5. Shared secret: Choose the same secret as the one configured earlier in RSA.
    6. Group name attribute: This field specifies which RADIUS attribute Sophos should read to determine the user’s group membership. It allows dynamic user-to-group mapping based on RADIUS responses. This helps apply that group’s access controls, time policies, and bandwidth.
  5. Click Test connection.
  6. Once the test is successful, click Save.
  7. Under Authentication, navigate to the Services tab. 
  8. Depending on your organization’s specific use case, edit the Authentication methods to include the newly created RADIUS server from the Authentication Server list under Selected authentication server. You can change the priority of the authentication methods by reordering them in the list.
  9. To configure Sophos Firewall for SSL VPN usage, an SSL VPN policy should be created to control remote VPN connections, the resources they are allowed to access, and how they will be authenticated to the VPN.
    To configure SSL VPN:
    1. In the left pane, select Remote access VPN
    2. Click the SSL VPN tab and click Add.

    3. Follow the instructions provided on the screen for your preferred configurations and access restrictions. In Step 3, choose your desired users or groups that will be allowed to connect to the VPN and hence authenticate with RSA.
    4. In Step 4, Authentication servers (global setting), choose the configured RSA RADIUS server as the method for authentication for the SSL VPN by clicking the Set authentication method for SSL VPN radio button, and click Next.
    5. Complete the rest of the steps, review the settings, and click Finish. Your SSL VPN is ready now for use, authenticating via RADIUS with RSA.

 

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?