This article explains how to fix issues with Radius Authentication used for Wireless Protection when the Radius server is connected via an IPSec tunnel.
You are using a Radius server which controls the authentication for the AP. This Radius server is connected via a IPSec-tunnel to the UTM.
The AP sends requests for authentication with the IP of the Access Point. This IP is not part of the IPSec tunnel configuration so the request can not reach the Radius server.
In this case you will probably see the following message within the wireless.log:
hostapd: wlan0: STA 8c:70:5a:89:84:c0 RADIUS: Resending RADIUS message
First seen in
Sophos UTM 9.104
You have to create a SNAT rule on the UTM so everything coming from the LAN network with the RADIUS port going to the LAN interface will be translated to the WAN interace.
To create such a SNAT rule proceed as follows
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.