Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I just found this, is the bottom solution still correct?
Here is my scenario
We recently switched over from Smoothwall+Ruckus to Sophos+Unifi for our Firewall/wifi solution.
In the previous config the user would log onto the guest WIFI (we are a school by the way) and get to a landing page where they would install the Smoothwall cert for HTTPS scanning. There was a link to the Ruckus logon page where the user logged on using there school username and password and the user would be authenticated against radius and put in the right filtering group. As far as I remember the setting Ruckus pointed to ADfor credential checking and then Smoothwall for radius accounting.
I would like to mirror this with Unifi and Sophos. but struggling.
I have radius setup and working with both Sophos and the Unifi controller (I cant see much logs on either of these to help me)
I've tried setting it up as previously but the user doesn't get put into groups, they get the Sophos logon page.
I've added all the access points and the controller and Sophos to the radius clients section on the windows server, when I do a test the logs in windows shows its successful.
What I have read I think I should point bot the radius and accounting to the windows server now which will then redirect accounting to the Sophos server to get its groups, I've tried both ways but neither work.
Can anyone help with some pointers please.. or if this is actually possible with these 2 vendors.
Any help would be appreciated
Hi Simcfc73 I would recommend verifying the given article and Sophos XG can support Sophos APs integration only.
In reply to Keyur:
So are you saying no third party can pass on accounting info to the firewall?
Why does it have SSO using RADIUS accounting request in the authentication section then?
In reply to Simcfc73:
Hi Simcfc73 Please refer - https://community.sophos.com/kb/en-us/127328#Adding%20RADIUS%20Server%20on%20the%20Sophos%20Firewall
I am not after authentication, I want accounting working.
This is the same issue which says it should work.
It should work.
I would highly guess, your Radius Server is not forwarding the proper Accounting information.
You need to dump the Traffic and check, if the Framed IP Packet is correct.
As mentioned the critical piece of this is if Unfi sends a standard FRAMED-IP-ADDRESS packet along with the user information, otherwise the XG will just see a user name and no associated IP address (I'm assuming you are using an NPS server for AD user authentication).
I've had no problem getting this working on Meraki, Ruckus and Aruba - I've seen that Unfi doesn't (or didn't) send this information but that's based on an article that is a few years old. I'd be surprised if it didn't do that by now.
In reply to carbon15:
So is the framed packet that sophos gets coming from the radius server or the unifi box. I've tried setting it up inside unifi to point to radius for aith and sophos for accounting, and all pointing to radius.
Am I looking at the sophos logs for the framed packets?
This information is sent from the Ubiquiti AP's or WLAN controller, it is not added by the NPS server nor by the XG. You want to network sniff the accounting messages coming into the XG either from the CLI (tcpdump port 1813) or on a PC that mirrors the XG port, the accounting message is in clear text and easy to understand. If there's no a username and the IP address of their client this more than likely the issue.
I've only ever set it up so that the authentication and accounting messages are forwarded onto the NPS server and in there set the forwarding of the accounting messages to the XG.
Alternatively ask Unfi if their kit sends this information yet, I think it's pretty standard (and basic) stuff so there's no reason for it not too.
There's a hard limit of 16 RADIUS Accounting hosts you can have on the XG, so you definitely want to forward as much as possible via a single point.