Radius authentication failing Sophos XG and Sophos wireless

Hi Guys,


I need some troubleshooting assistance please.   I have 3 Sophos wifi access points connected to a Sophos XG 230 firewall cluster.  I have the Guest wifi working on WPA2 Personal but I am unable to get WPA2 Enterprise working with radius authentication to a Windows AD/NPS server. 

The test radius connection is successful so I can connect to from the FW to the Radius server and authenticate.  However when I am unable to connect from a Windows laptop to the secure Wifi.  I followed this article - https://community.sophos.com/kb/en-us/132912 - I`ve reset and restarted this configuration multiple times without any luck.  I also logged a case with Sophos support which is still open but I am not really getting answers from them. 

I have now resorted to installing NPS on a second DC and configuring NPS on there and I still have the same issue(or maybe similar issue).  

This event is logged on the NPS server when I tried to authenticate from the laptop.  The firewall is 10.50.10.251 and the DC is 10.50.10.10

<Event><Timestamp data_type="4">05/30/2019 10:27:12.323</Timestamp><Computer-Name data_type="1">DC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.50.10.10 05/30/2019 00:07:48 45</Class><Session-Timeout data_type="0">30</Session-Timeout><Fully-Qualifed-User-Name data_type="1"> domain.local/User Name</Fully-Qualifed-User-Name><Acct-Session-Id data_type="1">C5568A34-0000001F</Acct-Session-Id><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Client-IP-Address data_type="3">10.50.10.251</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XG Firewall</Client-Friendly-Name><Proxy-Policy-Name data_type="1">SFOS-Connectivity to Radius</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1"> domain\user.name</SAM-Account-Name><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

 

Question 1: Anything in the above log that points to an issue?

Question 2: Will WPA2 Enterprise work if there are issues with the CA/certificates?  How can I disable the certificate check to rule this out?

Question 3: Any advise on how to simplify the Sophos recommended config to troubleshoot?

 

  • Updated log below, using an IAS log interpreter is has a connect status of "IAS_Success"  but the connection is still failing. 

     

    <Event><Timestamp data_type="4">05/30/2019 11:09:21.745</Timestamp><Computer-Name data_type="1">DomainDC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">user.name</User-Name><NAS-Identifier data_type="1">CorpWiFi</NAS-Identifier><Called-Station-Id data_type="1">82-5A-1C-00-DC-C3:CorpWiFi</Called-Station-Id><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">0</NAS-Port><Calling-Station-Id data_type="1">B8-08-CF-2E-90-5C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info><Acct-Session-Id data_type="1">C5568A34-00000052</Acct-Session-Id><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">10.50.10.251</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XG Firewall</Client-Friendly-Name><Proxy-Policy-Name data_type="1">SFOS-Connectivity to Radius</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">Domain\user.name</SAM-Account-Name><Class data_type="1">311 1 10.50.10.10 05/30/2019 01:08:59 1</Class><Fully-Qualifed-User-Name data_type="1">Domain.local/User Name</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">05/30/2019 11:09:21.745</Timestamp><Computer-Name data_type="1">DomainDC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.50.10.10 05/30/2019 01:08:59 1</Class><Session-Timeout data_type="0">30</Session-Timeout><Fully-Qualifed-User-Name data_type="1">Domain.local/User Name</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Acct-Session-Id data_type="1">C5568A34-00000052</Acct-Session-Id><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Client-IP-Address data_type="3">10.50.10.251</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XG Firewall</Client-Friendly-Name><Proxy-Policy-Name data_type="1">SFOS-Connectivity to Radius</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">Domain\user.name</SAM-Account-Name><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">05/30/2019 11:09:24.639</Timestamp><Computer-Name data_type="1">DomainDC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">user.name</User-Name><NAS-Identifier data_type="1">CorpWiFi</NAS-Identifier><Called-Station-Id data_type="1">82-5A-1C-00-DC-C3:CorpWiFi</Called-Station-Id><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">0</NAS-Port><Calling-Station-Id data_type="1">B8-08-CF-2E-90-5C</Calling-Station-Id><Connect-Info data_type="1">CONNECT 0Mbps 802.11b</Connect-Info><Acct-Session-Id data_type="1">C5568A34-00000052</Acct-Session-Id><Framed-MTU data_type="0">1400</Framed-MTU><Client-IP-Address data_type="3">10.50.10.251</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XG Firewall</Client-Friendly-Name><Proxy-Policy-Name data_type="1">SFOS-Connectivity to Radius</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">Domain\user.name</SAM-Account-Name><Class data_type="1">311 1 10.50.10.10 05/30/2019 01:08:59 2</Class><Fully-Qualifed-User-Name data_type="1">Domain.local/User Name</Fully-Qualifed-User-Name><Authentication-Type data_type="0">5</Authentication-Type><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
    <Event><Timestamp data_type="4">05/30/2019 11:09:24.639</Timestamp><Computer-Name data_type="1">DomainDC-01</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.50.10.10 05/30/2019 01:08:59 2</Class><Session-Timeout data_type="0">30</Session-Timeout><Fully-Qualifed-User-Name data_type="1">Domain.local/User Name</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Acct-Session-Id data_type="1">C5568A34-00000052</Acct-Session-Id><NP-Policy-Name data_type="1">Secure Wireless Connections</NP-Policy-Name><Client-IP-Address data_type="3">10.50.10.251</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">XG Firewall</Client-Friendly-Name><Proxy-Policy-Name data_type="1">SFOS-Connectivity to Radius</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">Domain\user.name</SAM-Account-Name><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">11</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

  • In reply to Calyps:

    Hi  

    Thanks for reaching out and my apologies for any inconveniences caused.

    Would it be possible to please PM me with your support case number and contact details so that I can follow up accordingly?

    Regards,

  • I`ve now also tested from an Andriod device and in the logs I`m getting "Connect Request = ISA_SUCCESS" and "Connect Result = Unknown".

    But the device does still not establish a connection to the Wifi network. 

     

    Connecting with incorrect details the connection fails. 

  • In reply to Calyps:

    I am really stuck on this and Sophos support has been no help.  

    Can anyone confirm if certificates is still involved if I use EAP-MSCHAP v2 and authentication method?