This article explains the steps on how to fix issues with the Radius authentication used for wireless protection when the Radius server is connected via an IPsec tunnel. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
The Access Point (AP) sends requests for authentication with its IP address which is not part of the IPSec tunnel configuration, so the request can not reach the Radius server.
In this case you may see the following message within the wireless log:
hostapd: wlan0: STA 8c:70:5a:89:84:c0 RADIUS: Resending RADIUS message
A MASQ policy on the Sophos XG Firewall is needed so that everything coming from the LAN network with the RADIUS port going to the LAN interface will be translated to the WAN interface.
To create a MASQ rule, proceed as follows:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.