Skip to main content

Sophos RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

This step-by-step integration guide illustrates how to configure both SSL VPN and IPSec VPN on Sophos XG Firewall and Arculix RADIUS MFA authentication.


  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the Sophos admin panel.

Arculix RADIUS Agent configuration

To integrate Arculix with your Sophos Firewall, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Sophos Firewall, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:


    The values should be separated by semicolons (;).

    ARA_CLIENTS=<An optional name for your Sophos>;<Internal IP address of your Sophos>;<a shared secret>

    For example, set:

    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

Sophos Firewall configuration

  1. Log in to the Sophos admin portal with an administrative user.

    For example, https://your sophos lan address:4444.

  2. Navigate to Authentication (under CONFIGURE) .

  3. On the Servers tab click ADD.

  4. Change Server type to RADIUS server and then enter your Arculix RADIUS Agent information.

  5. Click Test connection to test your configuration.


    It is important to add an LDAP or Active Directory server in the Servers tab to import groups into Sophos.

    After you add the AD server, click the Import icon to open the Import group wizard help and import groups.

  6. Go to Services tab and navigate to VPN [IPsec/L2TP/PPTP] authentication methods.

    Select the RADIUS Agent items that you added.

  7. Click Apply.

    The authentication type for IPsec will change to RADIUS. If you enable and configure IPsec (remote access) in the VPN section, users can connect via Sophos connect with MFA.

  8. To enable RADIUS authentication on SSL VPN, go to the Services tab and navigate to SSL VPN authentication methods.

    Select the RADIUS-Agent items that you added.

  9. Click Apply.

    The authentication type for SSL VPN will change to RADIUS. If you added and configured SSL VPN (remote access) in the VPN section, users can connect via Sophos connect or Sophos SSL VPN client with MFA.


    To access users on VPN, users must log in to the user portal once. The list of users will then appear in the Users tab.

    For a list of login users in the Sophos user portal, go to the Services tab. In Firewall authentication methods, select the Active Directory that was added in the previous section and drag it up to highest priority.


Test your application integration

  1. On the Sophos Client, click Connect and then enter your username and password.

  2. You will receive a push notification on your Arculix Mobile app to authorize access to your VPN with IPsec or SSL VPN.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.