XG Firewall can authenticate users transparently who have already authenticated via an external RADIUS server. RADIUS SSO (RSSO) is relatively simple because the XG Firewall does not interact with the RADIUS server, it only monitors RADIUS accounting requests forwarded by the Radius server (originated from the RADIUS client). These requests include the user’s IP address and username. RADIUS server is configured as accounting proxy to forward accounting packets to XG Firewall.
This article describes the steps to configure Single Sign On for APX wireless users already authenticated via Radius server.
The following sections are covered:
Applies to the following Sophos products and versions Sophos XG Firewall v17.5 MR6 and APX
When a user connects to WPA/WPA2 Enterprise based SSID, after successfully authenticated via an external Radius server, the Access Point sends the Accounting request to RADIUS accounting server. The RADIUS accounting server is configured as RADIUS proxy to forward the accounting requests to XG Firewall. XG Firewall uses username and IP from the accounting request and login the user, so the user can access the Internet or network resources without being asked for credentials.
Go to Configure > Authentication > Servers to add a RADIUS Server.
Go to Configure > Authentication > Services, under SSO using RADIUS Accounting Request, configure the XG Firewall as the RADIUS client.
Go to Wireless > Wireless settings to define the Radius server.
Go to Administration > Device access to enable RADIUS SSO service on LAN and WiFi zones.
Go to Firewall to add a User/network rule allowing traffic from LAN to WAN zones with identity match.
Go to the XG Firewall's console to configure a delay for the accounting start. In fact, the radius_accounting_start_delay parameter sets the delay to start the 802.1x accounting for WiFi client. You can set the delay value depending on the DHCP response time, this value can be from 0 to 60 seconds, this allows the WiFi client to receive the IP address before starting the accounting, the WiFi SSO uses this framed IP address from the accounting start message and allows the user to login to XG Firewall.
system wireless-controller global radius_accounting_start_delay 30
Note: Radius SSO feature is ONLY supported by APX models.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.