Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=task_rsr_dvq_tdb

Clientless SSO authentication

Clientless SSO is implemented using the Sophos Transparent Authentication Suite.

The associated workflow is the following:

  1. The user logs on to the Active Directory domain controller from any workstation in the LAN. The domain controller authenticates the user’s credentials.
  2. AD gets the session information and creates a security audit log. Upon successful user authentication, AD creates an event with an ID of 672 (Windows 2003) or 4768 (Windows 2008 and later).
  3. While monitoring the AD server, the agent gets the session information from the event IDs.
  4. The agent passes on the username and IP address to the collector over the default TCP port (5566) at the same time.
  5. The collector responds by sending successful authentication updates to the firewall on UDP port 6060.
  6. If the firewall sees traffic from an IP address it has no information about, it can query the collector on port 6677.
  7. A user initiates an internet request.
  8. The firewall matches the user information with its local user map and applies security policies accordingly.

The firewall queries the AD server to determine group membership based on data from the STAS agent. Depending on the data, access is granted or denied. Users logged on to a workstation directly (or locally) but not logged on to the domain aren't authenticated and are considered unauthenticated users. Users that aren't logged on to the domain must authenticate using the captive portal.

STAS network diagram