This documentation describes how to configure Sophos XG SSL VPN with inWebo RADIUS connector.

Prerequisites

  • An administrator access to your Sophos XG firewall,

  • An administrator access to your inWebo account,

  • You should allow UDP traffic in port 1812 from Sophos XG firewall to inWebo Radius server.

Step 1: configure inWebo Radius Connector

  • Log in to the inWebo administration console http://www.myinwebo.com/console.

  • Go to Secure site tab > Connector > Add a connector of type Radius Push

  • Specify the settings:

Setting

Description

IP Adresses

IP of the public interface of your Sophos XG server (or NAT address if behind a firewall)

Radius Secret

Secret shared between Sophos XG and the inWebo Radius server

It will be used in the Sophos configuration

  • Click on Add.

Please note that any configuration / update of inWebo Radius Push connector will be applied within the hour.

Step 2: configure the Sophos XG SSL VPN

Add a new Radius server 

  • Go to Authentication > Servers and click Add 

  • Specify the settings:

Use the default value for any setting not listed below.

Setting

Description

Server type

RADIUS server

Server name

inWebo_RADIUS

Server IP

inWebo provides two Radius server pool. Each radius server pool load-balance the workload on several radius servers located in different datacenters:

Enable accounting

empty

Accounting port

empty

Shared secret

<inWebo RADIUS server shared secret> (The shared secret that is configured on the inWebo Radius connector)

Group name attribute

any

  • Click on Test connection to validate the user credentials and check the connection to the server.

  • Click on Save.

Set authentication method for VPN SSL

To query the inWebo radius server, you should set it as authentication method for SSL VPN.

  • Go to Authentication > Services

  • Check that the SSL VPN authentication methods have been set on the inWebo RADIUS server and that it is at the top of the list.

Une image contenant texte  Description générée automatiquement
  • Click on Apply

Testing inWebo authentication with SSL VPN client

In this test, the user account of test is “mytest”. 

This account was previously registered in inWebo and exits in Sophos repertory as well. Furthermore, it has an inWebo Authenticator enrolled (mobile/desktop).

Check that the user test is added in the Policy Member of the SSL VPN (remote access):

Go to VPN > SSL VPN (remote access) > Identity > Policy members > Add new item (if the user is not present)

Une image contenant texte  Description générée automatiquement

  1. Enter your login (mytest) and an OTP as a password in Radius standard mode or a random character in Radius "push" mode.

  2. In Radius push mode, user receives a notification on his mobile/desktop device. User enters his PIN code (second factor authentication) to generate an OTP.

  3. User is connected

    Une image contenant texte  Description générée automatiquement