Authenticate User over Access Point

Hi :)

I want to authenticate a user on my Sophos XG when connecting via an Accesspoint. (I want to allow a specific user access to my Server Network)

As far as i'm aware you have to authenticate using the captive portal provided by the firewall... but i want to use regular RADIUS authentification. No captive portal!!!


I want a user to sign into the WIFI Network using his personal user and credential and then have a userrule apply to that user.

Is this possible and if then how do I go about setting that up?


Thanks in advance

  • In reply to lferrara:

    I don't have Sophos APs...

  • In reply to Jonas Keller:

    Radius can be used to authenticate users.

    Put the AP on another network and use that network as source in the firewall rules and make sure you enable the authentication as described in the last KB I posted.

  • In reply to lferrara:

    I don't understand what you mean.

    The Wireless settings won't apply to my scenario because I'm using Cisco Access Points. They don't integrate with the XG! far as I'm aware

  • In reply to Jonas Keller:

    You cannot use Cisco AP with XG under the Wireless protection, create SSID and so on. You need to manage them, make sure they are on a separated network, so in XG you can use the separated network as source in firewall rules and use the radius authentication.

    If the AP use the same IP addresses as your LAN or any other network, you cannot split cabled users and wi-fi users.

    Hope this helps!

  • In reply to lferrara:

    I don't want to split the Networks or the users.

    I want to create a Rule on the Firewall that will allow an Authenticated user (administrator) to access my Server Network which is split of from the Client Network. The APs are all connected to the Client Network. I want all Client devices in the same pool connected to the same AP but allow only the admin user access to my Server Network.


    I could setup radius authentication on the accesspoint itself but i don't think the userrule on the firewall would apply to users that authenticated on the AP itself.

  • In reply to Jonas Keller:

    If the cabling Ip and wi-fi IP are the same, you cannot split.

    XG does not understand if the IP is a Wi-Fi or coming from a desktop connected to a switch.

    You can allow administrators only to access the server network by enabling "match known users" on the firewall rule and putting this rule at the top. If the user is not an administrator, the access to server network will be denied. Keep in mind that administrators will be able to access from Wi-Fi and cabled computers independently if you use this approach.



  • In reply to lferrara:

    Could you describe how you would set it up. I don't think I understand what you mean.

  • In reply to Jonas Keller:


    what you need to do is:

    • configure the AP to have an IP inside a LAN managed by XG
    • configure the Wi-FI on Cisco with WPA3 and so on
    • configure the AP so users that connect on the Cisco AP get an IP in the same subnet of the XG interface you chose for the AP
    • create a firewall rule from the zone of the XG interface chose to the zone and network where the servers are located
    • on this firewall rule, enable the "match know users" with the users that are allowed to access the servers


  • In reply to lferrara:

    Another approach is using Radius Accounting.

    Using WPA Enterprise via Radius and the framed IP, you could actually get all the information by your Access Point as live users.


    Your Access Point needs to support Framed IP.

    You need to find out, if so. 


    Afterwards you need a Radius Server. 

    The Radius server will redirect your Accounting packets to XG. XG  can pick up the framed IP + User name and authenticate those users. 


    Sounds like you dont have a radius server. The AP will most likely have a radius "Client". So you need a radius server (NPS?) 

  • In reply to LuCar Toni:

    Thats exactly what I need. How would I go about doing that?


    I already have a radius server.