Configure the Sophos USM gateway

During this task we will configure Sophos USM to use the Sophos UTM RADIUS OIN app.

Steps

There are four parts to this configuration:

  1. Enable automatic user creation
  2. Configure a New Authentication Server
  3. Create a RADIUS Backend Group
  4. Allow group access to resources

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Enable automatic user creation

  1. Sign in to the Sophos UTM Web Admin console with sufficient privileges.
  2. Navigate to Definitions & UsersAuthentication Services, and then click Add to define a new RADIUS server.
  3. On the Global Settings tab check the box to Create users automatically, as shown below.

  4. In the Automatic User Creation for Facilities check the appropriate facilities for your environment, as shown above.

    Recommendation: Select Client Authentication and End-User Portal.

Configure a New Authentication Server

  1. In the Sophos UTM Web Admin console, navigate to Definitions & UsersAuthentication Services, and select the Servers tab. The screen shown below opens.

  2. Click the New Authentication Server... button.

  3. Enter the following information:
    • Backend: RADIUS
    • Postion: Top

    Server

    • Name: Unique and appropriate name; for example OktaMFA
    • Type: Host
    • IPv4 address: IP address of the Okta RADIUS Server Agent

    Advanced

    • Interface: The appropriate interface for your environment
    • Port: The UDP Port defined in Part 2, step 3, above; for example, 1815
    • Shared Secret: The Secret Key defined in Part 2, step 3, above

    Advanced

    • Authentication timeout (sec): 60
  4. When done, click Save

Create a RADIUS Backend Group

  1. In the Sophos UTM Web Admin console, navigate to Definitions & UsersUsers & Groups, and select the Groups tab. The screen shown below opens.

  2. Click New Group….
  3. Enter the following information in the Add Group section:
    • Group Name: Unique and appropriate name, such as Okta RADIUS Users
    • Group Type: Backend Membership
    • Backend: RADIUS
  4. Click Save to save the settings.

Allow group access to resources

  1. In the Sophos UTM Web Admin console, navigate to Remote Access, and select the desired connection method. The screen shown below opens.

  2. Click New HTML5 VPN Portal Connection... or use an existing connection.
  3. Add the group you created in Step 3 to the Users and Groups or Allowed Users (Userportal) list.