Radius SSO for APX

Hi all,

just want to give some feedback about this new Feature in V17.5 MR6.


Radius SSO authentication between XG and APX

Wireless users can be authenticated using Radius SSO between XG and APX. Now supports framed IP addresses in client accounting messages.



Had a discussion with  So i wanted to move this in a proper format.


Just to be sure, this feature is running smoothly in my setup.


It is working like this KBA is telling us: 



Basically the new APX Firmware adds the Framed IP Address into the Accounting information after a Client is logging into a wireless network. 



XG is NOT intercepting those packets or redirecting those packets.

So we are relying on the Radius Server to "simply" forward those Accounting information back to XG. 

As we are using the already existing SSO mechanism from SFOS.


In Server2016 NPS, you simply create a new Radius Server (as Radius Server Group) and forward those accounting information to XG. 




XG will pick up this Accounting information (send by NPS with a proper Shared Secret) and match the framed IP to the matching User name. 


  • This is going to be a complaint because after speaking to a Sophos Engineer i realised in my happiness i genuinely was ignoring the APX note.

    Prodman and Dev only did just do the fix for APX only and not the tens of thousands of already sold and currently still in support and sales life of the AP series.

    So if you have an AP and not an APX, you are still better supported by a third party AP and not a Sophos own brand AP for RADIUS Accounting.

    This, for me, is quite anger inducing.