Contents

Sophos Integration with AuthPoint

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for your Sophos UTM Virtual Appliance with AuthPoint as an identity provider. Your Sophos UTM Virtual Appliance must already be configured and deployed before you set up MFA with AuthPoint.

Your Sophos UTM Virtual Appliance can be configured to support MFA in several modes. For this integration, we set up RADIUS with AuthPoint.

This integration was tested with 9.5 of Sophos UTM Virtual Appliance.

Sophos UTM Virtual Appliance Authentication Data Flow with AuthPoint

AuthPoint communicates with various cloud-based services and service providers with the radius protocol. This diagram shows the data flow of an MFA transaction for a Sophos UTM Virtual Appliance.

Before You Begin

Before you begin these procedures, make sure that:

  • You have installed and configured the AuthPoint Gateway (see About Gateways)
  • End-users can log in to the Sophos UTM Virtual Appliance
  • A token is assigned to a user in AuthPoint

Configure Sophos UTM Virtual Appliance

Add a RADIUS Authentication Server

To use RADIUS authentication with Sophos UTM Virtual Appliance, a RADIUS server (AuthPoint Gateway) must be created in the RADIUS Authentication configuration.

  1. Log in to Sophos UTM Virtual Appliance web UI.
  2. Select Definitions & Users > Network Definitions.

  1. Click New Network Definition.
  2. In the Name text box, type a name for the RADIUS server.
  3. From the Type drop-down list, select Host.
  4. In the IPv4 address text box, type the IP address of the RADIUS server (AuthPoint Gateway).

  1. Click Save to add the new network definition.
  2. Select Definitions & Users > Authentication Services > Servers.

  1. Click New Authentication Server.
  2. From the Backend drop-down list, select RADIUS.
  3. For Server, select the predefined RADIUS server.
  4. In the Port text box, type the port for the RADIUS server (AuthPoint Gateway) to use to communicate with the RADIUS client (Sophos). The default ports are 1812 and 1645.
  5. In the RADIUS Shared Secret text box, type a shared secret.
  6. In the Authentication timeout text box, type 60.

  1. Click Save to save settings.

Configure Authentication Services

  1. Select Definitions & Users > Authentication Services.
  2. Select the Global Settings tab.

  1. Select the Create users automatically check box.
  2. Click Apply.
  3. Select Management > User Portal.
  4. Select the Global tab.

  1. Enable the End-User Portal slider.
  2. Choose your Allowed Networks for SSLVPN client users.
  3. Select the Allow all users check box.
  4. Click Apply.

Configure Remote Access SSL Settings

  1. Select Remote Access > SSL.
  2. Select the Profiles tab.

  1. Click New Remote Access Profile to add a new remote access profile for SSLVPN client users.
  2. In the Profile name text box, type a name.
  3. For Users and Groups, select Radius Users.
  4. For Local Networks, select InternalNetwork.

  1. Click Save to save settings.

  1. Select the Settings tab.
  2. Configure Server Settings and Virtual IP Pool settings (use the default settings).

  1. Select the Advanced tab.
  2. Configure SSL Advanced Settings (use the default settings).

Configure AuthPoint

Before AuthPoint can receive authentication requests from Sophos UTM Virtual Appliance, you must specify the Sophos client as a RADIUS resource in AuthPoint. You must also assign the Sophos resource to the AuthPoint user group that will authenticate through Sophos.

Add a Radius Resource in AuthPoint

From the AuthPoint management UI:

  1. From the navigation menu, select Resources.
  2. From the Choose a Resource Type drop-down list, select RADIUS Client. Click Add Resource.

  1. Configure the settings for all options on the RADIUS page.

Add an Access Policy to AuthPoint

You must have at least one user group in AuthPoint for authentication with Sophos UTM Virtual Appliance, and you must assign an access policy for the Sophos UTM Virtual Appliance resource to that group. If you already have a group, you do not have to add another group.

In the AuthPoint management UI:

  1. From the navigation menu, select Groups.
  2. To add a new group, click Add Group. If you already have a group that you want to use, select the group to edit it.

  1. In the Name text box, type a descriptive name for the group.
  2. (Optional) In the Description text box, type a description of the group.

  1. In the Access Policy section, click Add Policy.

  1. In the Add Policy dialog box, from the Resource drop-down list, select the resource you want to add an access policy for.
  2. (Optional) To require that users type their password before they authenticate for this resource, select the Require Password Authentication toggle.
  3. Select the authentication options that users in this group can choose from when they authenticate.

    For SAML resources, if you select more than one authentication option, users must choose one of the available options when they authenticate. For example, if you select OTP and Push, users can choose to type their OTP or approve a push to authenticate. You cannot require that they do both.

  1. Click Add.

  1. (Optional) Add one or more safe locations to your group. For more information about safe locations and detailed instructions to add them, see About Safe Locations.
  2. Click Save.

Before you assign users to a group, you must add them to AuthPoint. You can manually add user accounts or import user accounts from your LDAP database. For more information on how to add user accounts, see Add User Accounts.

Bind the RADIUS Resource to a Gateway

To use RADIUS authentication with AuthPoint, you must have the AuthPoint Gateway installed on your corporate network and you must assign your RADIUS resources to the Gateway in the AuthPoint web UI. The Gateway functions as a RADIUS server. For more information, see About Gateways.

  1. From the navigation menu, select Gateway.
  2. Select the Name of the Gateway.
  3. In the RADIUS section, in the Port text box, type the port number used to communicate with the Gateway. The default ports are 1812 and 1645.
  4. In the Select a RADIUS resource drop-down list, select your RADIUS client resource.
  5. Click Save.

Test the Integration

To test the integration of AuthPoint and the configuration of Sophos, you can authenticate with a mobile token on your mobile device. For RADIUS resources, you can choose one-time password or push.

In this example, we show the one-time password authentication method.

Before we use the Sophos SSLVPN client application program to set up the SSL VPN connection, we need to set up a remote access SSL VPN configuration for the SSL VPN client from the User Portal.

  1. Log in to the Sophos UTM Virtual Appliance User Portal at https://<IP address of Sophos UTM Virtual Appliance>:443.

  1. In the Username text box, type your AuthPoint user name.
  2. In the Password text box, type your AuthPoint password and the OTP for your token in the AuthPoint mobile app.
  3. Click Login.
  4. Select Remote Access.
  5. Click Download to download the SSL VPN package (in this example, we download the installation file that updates all keys and the configuration).
    • If you have not installed the SSL VPN client application, you should download a complete installation package that includes the client software, keys, and automatic configuration.
    • If you have installed the SSL VPN client application already, you should download the installation file that updates all keys and the configuration on your system.

  1. Click Log out after you download the file.
  2. Run the Sophos SSLVPN conf application to set up the remote access SSL VPN configuration for the SSL VPN client on your computer.

  1. Click Browse and select a destination folder for the SSL VPN client configuration setup application. This folder must be the same folder as Sophos SSL VPN client installation folder.

  1. Click Close when the installation is complete.

  1. Run the Sophos SSLVPN application program.
  2. Right-click the Sophos SSL VPN application in the task bar and select [your user name] > Connect.

  1. In the Username text box, type your AuthPoint user name.
  2. In the Password text box, type your AuthPoint password and the OTP for your token. You can see your OTP in the AuthPoint mobile app.
  3. Click OK.
    You are connected successfully.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search