Sophos XG with heartbeat work with Cisco WAP581 Access point Radius server

Hi all,

We use Sophos firewall SG210 on XG platform and heartbeat enabled with firmware 17.0.3 MR-3 and existing firewall rules includes if user laptops don't have have green heartbeat, they cannot access servers on premises such as active directory.

We recently deployed Cisco Access points WAP 581 with Authentication using Radius server ( installed on the same server as Active directory). When users are to connect to WiFi, it requires to connect to radius server for authentication before establish wireless connection to the network. However before laptops can connect to the Sophos central which is in the cloud to report health status to the firewall gateway, XG firewall wouldn't permit the client to access to the active directory server, as a result the client fails to connect to the wireless network.

Can anyone shed any light on this topic?

Many thanks in advance.

Steve Wang

  • Hi Steve ,

    In this case you may need to create a rule to allow the connection to ADserver without any heartbeat option enabled . You may allow the port used for communication between ADS. Bypass Ports UDP:1813 and UDP:1812.

    Once Authenticated there shouldm't be any issue.

  • In reply to Aditya Patel:

    Thanks for your help Aditya.

    We have just identified that the authentication to the radius server has nothing to do with heartbeat. It was resolved by adjusting the Cisco AP settings.

     

    Thanks again for your comments.

    Best,

    Steve

  • Steve,

    For clarification, Sophos Security Heartbeat only works with the products of the Sophos Central suite; such as:  Secure Wi-fi and Sophos End Point Protection.  As you have probably guessed, Security Heartbeat is similar to an advanced smart ping between Sophos Central and the Sophos Central products.  That's all it is.  Security Heartbeat doesn't affect network communications.  It merely checks communication between specific Sophos products and the Sophos cloud coordinator.

    With that in mind, realize three things:

    1. Depending on how your other security features are setup, a laptop without Sophos End Point Protection may still be able to reach Active Directory and attempt to log in.

    2. The loss of internet connection may cause your laptops to lose authentication with your network, or it may only prevent new laptops from logging in while the internet is out.  The internet failure may also allow all laptops to reach AD.  You may want to test this, so you know what will happen if you lose ISP Service or lose power to your internet modems.

    3. Your laptops don't connect to Sophos Central.  Your laptops connect to your network via multiple network and access protocols.  Sophos Central only talks to Sophos Central products, such as the End Point Protection to help the End Point protection decide which malware, ports, and communication packets to block.  Sophos Central and Sophos End Point Protection don't authorize, assign, or modify your access protocols.  Sophos End Point Protection merely allows or blocks communication between your laptops and connections to networks, peripherals, and serial devices.

    I hope this helps