Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I want to authenticate a user on my Sophos XG when connecting via an Accesspoint. (I want to allow a specific user access to my Server Network)
As far as i'm aware you have to authenticate using the captive portal provided by the firewall... but i want to use regular RADIUS authentification. No captive portal!!!
I want a user to sign into the WIFI Network using his personal user and credential and then have a userrule apply to that user.
Is this possible and if then how do I go about setting that up?
Thanks in advance
yes you can. Follow this KB:
In reply to lferrara:
Sorry, this one is more updated
I don't have Sophos APs...
In reply to Jonas Keller:
Radius can be used to authenticate users.
Put the AP on another network and use that network as source in the firewall rules and make sure you enable the authentication as described in the last KB I posted.
I don't understand what you mean.
The Wireless settings won't apply to my scenario because I'm using Cisco Access Points. They don't integrate with the XG! ...as far as I'm aware
You cannot use Cisco AP with XG under the Wireless protection, create SSID and so on. You need to manage them, make sure they are on a separated network, so in XG you can use the separated network as source in firewall rules and use the radius authentication.
If the AP use the same IP addresses as your LAN or any other network, you cannot split cabled users and wi-fi users.
Hope this helps!
I don't want to split the Networks or the users.
I want to create a Rule on the Firewall that will allow an Authenticated user (administrator) to access my Server Network which is split of from the Client Network. The APs are all connected to the Client Network. I want all Client devices in the same pool connected to the same AP but allow only the admin user access to my Server Network.
I could setup radius authentication on the accesspoint itself but i don't think the userrule on the firewall would apply to users that authenticated on the AP itself.
If the cabling Ip and wi-fi IP are the same, you cannot split.
XG does not understand if the IP is a Wi-Fi or coming from a desktop connected to a switch.
You can allow administrators only to access the server network by enabling "match known users" on the firewall rule and putting this rule at the top. If the user is not an administrator, the access to server network will be denied. Keep in mind that administrators will be able to access from Wi-Fi and cabled computers independently if you use this approach.
Could you describe how you would set it up. I don't think I understand what you mean.
what you need to do is:
Another approach is using Radius Accounting.
Using WPA Enterprise via Radius and the framed IP, you could actually get all the information by your Access Point as live users.
Your Access Point needs to support Framed IP. https://tools.ietf.org/html/rfc2865
You need to find out, if so.
Afterwards you need a Radius Server.
The Radius server will redirect your Accounting packets to XG. XG can pick up the framed IP + User name and authenticate those users.
Sounds like you dont have a radius server. The AP will most likely have a radius "Client". So you need a radius server (NPS?)
In reply to LuCar Toni:
Thats exactly what I need. How would I go about doing that?
I already have a radius server.
Did you try this KBA? https://community.sophos.com/kb/en-us/134148