Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.
We'd love to hear about it! Click here to go to the product suggestion community
I just found this, is the bottom solution still correct?
Here is my scenario
We recently switched over from Smoothwall+Ruckus to Sophos+Unifi for our Firewall/wifi solution.
In the previous config the user would log onto the guest WIFI (we are a school by the way) and get to a landing page where they would install the Smoothwall cert for HTTPS scanning. There was a link to the Ruckus logon page where the user logged on using there school username and password and the user would be authenticated against radius and put in the right filtering group. As far as I remember the setting Ruckus pointed to ADfor credential checking and then Smoothwall for radius accounting.
I would like to mirror this with Unifi and Sophos. but struggling.
I have radius setup and working with both Sophos and the Unifi controller (I cant see much logs on either of these to help me)
I've tried setting it up as previously but the user doesn't get put into groups, they get the Sophos logon page.
I've added all the access points and the controller and Sophos to the radius clients section on the windows server, when I do a test the logs in windows shows its successful.
What I have read I think I should point bot the radius and accounting to the windows server now which will then redirect accounting to the Sophos server to get its groups, I've tried both ways but neither work.
Can anyone help with some pointers please.. or if this is actually possible with these 2 vendors.
Any help would be appreciated
Hi Simcfc73 I would recommend verifying the given article and Sophos XG can support Sophos APs integration only.
In reply to Keyur:
So are you saying no third party can pass on accounting info to the firewall?
Why does it have SSO using RADIUS accounting request in the authentication section then?
In reply to Simcfc73:
Hi Simcfc73 Please refer - https://community.sophos.com/kb/en-us/127328#Adding%20RADIUS%20Server%20on%20the%20Sophos%20Firewall
I am not after authentication, I want accounting working.
This is the same issue which says it should work.
It should work.
I would highly guess, your Radius Server is not forwarding the proper Accounting information.
You need to dump the Traffic and check, if the Framed IP Packet is correct.
As mentioned the critical piece of this is if Unfi sends a standard FRAMED-IP-ADDRESS packet along with the user information, otherwise the XG will just see a user name and no associated IP address (I'm assuming you are using an NPS server for AD user authentication).
I've had no problem getting this working on Meraki, Ruckus and Aruba - I've seen that Unfi doesn't (or didn't) send this information but that's based on an article that is a few years old. I'd be surprised if it didn't do that by now.
In reply to carbon15:
So is the framed packet that sophos gets coming from the radius server or the unifi box. I've tried setting it up inside unifi to point to radius for aith and sophos for accounting, and all pointing to radius.
Am I looking at the sophos logs for the framed packets?
This information is sent from the Ubiquiti AP's or WLAN controller, it is not added by the NPS server nor by the XG. You want to network sniff the accounting messages coming into the XG either from the CLI (tcpdump port 1813) or on a PC that mirrors the XG port, the accounting message is in clear text and easy to understand. If there's no a username and the IP address of their client this more than likely the issue.
I've only ever set it up so that the authentication and accounting messages are forwarded onto the NPS server and in there set the forwarding of the accounting messages to the XG.
Alternatively ask Unfi if their kit sends this information yet, I think it's pretty standard (and basic) stuff so there's no reason for it not too.
There's a hard limit of 16 RADIUS Accounting hosts you can have on the XG, so you definitely want to forward as much as possible via a single point.
I'm just revisiting this as I have a bit more time.
I've dumped the that's being sent to the XG box from Unifi on port 1813
Ethernet headerSource MAC address:74:83:c2:7e:58:1fDestination MAC address: 7c:5a:1c:51:37:5cEthernet type IPv4 (0x800) IPv4 HeaderSource IP address:192.168.100.12 (UNIFI)Destination IP address:192.168.100.1 (XG)Protocol: UDPHeader:20 BytesType of service: 0Total length: 220 BytesIdentification:53993Fragment offset:16384Time to live: 64Checksum: 7625 UDP Header:Source port:36429Destination port: 1813Length: 200Checksum: 6855Checksum: 5643
There's no info about the user in this but the Hex & ASCII detail does show the username, the SSID and the mac address of the client... not the IP though.
I'd urge you to check with Unfi to make sure there's nothing that needs to be done from that end - only the controller can add that field, I've not looked at an accounting packet recently but I'm pretty sure you can see the IP address in the hex decode.
I've seen recently a site using Unfi working ok with RADIUS accounting (sent via NPS as they were authenticating their users via AD, then forwarded onto the XG).
Thanks for the reply.
I've asked the question of UNIFI, its on the latest update firmware so will wait for them to get back to me.
I'm trying to get my head round so apologies if this is basic stuff.
I sorted it.....woohoo
I've used the Server 2016 Radius to forward the radius requests to XG and enabled the radius SSO on the interfaces.
I did try this before but I didn't get anywhere...I had the groups atrib wrong.