Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
So I read through the other post to see if I could find some information on why RADIUS for web management isn't working. RADIUS is up, configured and working 100%.
HOWEVER... I have to make the local user first. For example if I want to use RADIUS for domain user user123, I have to make user123 locally on the firewall as an administrator. This kinda defeats the point of RADIUS. Switches have been doing this for years, and same with ASAs. Anyone figure this out?
Are you using an AD to create there user and is the AD part of the XG?
In reply to rfcat_vk:
So the user exist in ad, and ad is part of the xg but xg doesn't sync users. When I log into the user portal with user123, user email@example.com is made but that doesn't work. I have to create a local user for RADIUS. Why would I have to create a user at all?
In reply to Zacharry Williams1:
please read this KBA and then check the how-to-library for other useful docemtns that might assist you.
Ah stas isn't what I want. Radius is what I want . Just like a switch or an asa or wireless.
Ah that's for network with not the web admin.
Opened a ticket with support. We'll see what happens. I was looking at the access_server logs. With no user created in the local database, if an invalid username/password is entered i get a radius message:radiusauth_authenticate_user: Athentication Failed for User: user123.
If the username and password is correct i get a message handle_pam_authorization: VPN/SSLVPN/MYACC Authorization Failed, result_code=1
Taking a wild guess here, but I'm thinking the radius response isn't being handled properly and is being handed off. Maybe some sort of vendor specific option code or something to designate admin access maybe? I'm wire sharking from NPS right now.
Do you have setup Radius Accounting properly for SSO?
XG is simply forwarding the Radius Authentication packets to Radius (you should see this in your Wireshark dump).
Afterwards, to get a proper "Live User" in XG, you have to forward the Accounting Information back to XG.
Wireless uses the same technique.
Accounting is the important information. Does your NAC Solution or what ever you use to get the authentication done in Radius actually support accounting?