First add your Sophos UTM as RADIUS client on NPS server. I am assuming that NPS server is located in IP address 192.168.100.100 and Sophos UTM is used as GW for this network with IP address 192.68.100.1. Add Sophos UTM Firewall as RADIUS client. Use UTM’s IP for the network as client IP. Select long shared secret (UTM supports up to 48. This article shows you how to start using two factor authentication and OTP to lock down the administration of your Sophos UTM – without locking yourself out! Get some strong entropy. You will need to specify a hexadecimal octet string that is 40 characters long. If you are good at coming up with string like “aaa85e0ca44f0c168106c3c5d74dde5b60419fa8” you can generate it on your own.

Sophos UTM firewall can be configured to use Azure MFA for Two-Factor authentication.

After installing MFA extension with the help of great guide from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension you only need to define couple of settings in UTM and enable policies in NPS server to get it working.

Unfortunately I only were able to set it up using PAP as authentication method. I believe this is limitation on UTM.

Here are steps I took to accomplish this.

First add your Sophos UTM as RADIUS client on NPS server.

I am assuming that NPS server is located in IP address 192.168.100.100 and Sophos UTM is used as GW for this network with IP address 192.68.100.1

Add Sophos UTM Firewall as RADIUS client. Use UTM’s IP for the network as client IP. Select long shared secret (UTM supports up to 48 characters).

Next create connection request policy for the UTM.

Select Authenticate requests on this server.

Under conditions add UTM’s IP as Client IP

Leave rest of the settings as default.

Next you’ll have to create Network policy for SSL VPN authentication traffic.

I created one policy for each service I want to use radius authentication.

Again we’ll use UTM’s IP as client IP and I also added user group check for VPN enabled users. use ssl as NAS identifier.

Under Authentication Methods only select PAP. Select NO on security warning.

Leave rest of the settings as default.

Now login to UTM and navigate under Definitions & Users -> Authentication Services -> Servers

Add new authentication server and select RADIUS as backend type. Select Network Policy server as server or create new network host object.

Sophos Utm 2fa Download

Sophos Utm 2fa Owa

Use same 48 character shared secret. Extend advanced settings and change timeout to 60 seconds.

You can see Nas-Identifiers used by services from the Nas-Identifier dropbox.

Thats it. Now you should have Azure MFA enabled SSL VPN set up. To enable MFA for other services just create another network policy and use different Nas-Identifier.

Secure access to Sophos Firewall XG RADIUS with SAASPASS multi-factor authentication (MFA) and secure single sign-on (SSO) and integrate it with SAML in no time and with no coding. Log into yourSophos Firewall XG RADIUS services securely without ever having to remember passwords on both your computer and mobile with SAASPASS Instant Login (Proximity, Scan Barcode, On-Device Login and Remote Login).

You can enable Sophos Firewall XG RADIUS login with SAASPASS secure single sign-on (SSO) and provide your users the ability to login toSophos Firewall XG RADIUS and other SAASPASS integrated apps, all at once.

Enable Sophos Firewall XG RADIUS login with SAASPASS secure single sign-on (SSO) and allow users to login to Sophos Firewall XG RADIUS and other SAASPASS integrated apps, all at once.

Two-step verification and secure single sign-on with SAASPASS will help keep your firm’s Sophos Firewall XG RADIUS access secure.

Provide the easiest to use and most convenient secure access toSophos Firewall XG RADIUS with SAASPASS two-factor authentication and single sign-on (SSO) with SAML integration. Integration requires no coding and takes a matter of minutes. Log into yourSophos Firewall XG RADIUS securely without remembering passwords on both your computer and mobile with SAASPASS Instant Login (Proximity, Scan Barcode, On-Device Login and Remote Login).

You can integrate SAASPASS with Active Directory. SAASPASS supports SAML and RESTful APIs as well.

Sophos Utm 2 Factor Authentication

The SAASPASS app works on nearly every device on the market today: Android phones, Android tablets, iPhones, iPads, Blackberrys and Java ME feature phones.

Enable Sophos Firewall XG RADIUS login with SAASPASS secure single sign-on (SSO) and allow your users to login to Sophos Firewall XG RADIUSand other SAASPASS integrated applications, all at once.

Sophos Firewall 2fa

Secure single sign-on (SSO) and two-step verification with SAASPASS will help keep your firm’s Sophos Firewall XG RADIUS secure.