Wifi RADIUS authentication vs Agent

We have XG135 in test in a cloud-only environment, that is no AD. We have a test radius server working and have set that to authenticate wifi successfully however the user who authenticates is not appearing in the Live Users activities screen.

I can of course use the appropriate agent, here we use iOS or the captive portal, to identify the user but can we use that wifi radius authentication to then identify the user and track web usage?



  • Hi Mark,

    Yes, you may use the authentication but you may need to configure Radius server on XG. 

    Sophos XG Firewall synchronizes groups with the RADIUS Server every time the user tries to log in. If a user's group is changed on the next login attempt, the user will be logged in as a member of the same group. This feature keeps the RADIUS Server updated and removes the need for manual updates every time the group is changed.

    Configure a RADIUS Server

      1. Go to Objects > Assets > Authentication Server and click Add to configure a RADIUS Server.
      2. Fill out the settings as explained below:

      • Server Type: RADIUS Server
      • Server Name: SF_RADIUS
      • Server IP:
      • Authentication Port: 1812
      • Enable Account: Check
      • Accounting Port: 1813
      • Shared Secret: Your RADIUS Server shared secret
      • Group Name Attribute: This will be vendor specific
    1. Click Test Connection to check if the Sophos Firewall can connect to the RADIUS Server. It will then prompt for administrative credentials to test the connection. Enter the credentials and click Test Connection.  
    2. If the connection is successful, click Save.


    Set RADIUS as the Primary Authentication Method

    1. Go to Authentication > Services and select the RADIUS Server as the primary authentication server for Firewall, VPN or Administrative Authentication.
    2. Click Apply to save the configuration. 
    3. The local database is selected by default. Make sure that the RADIUS server is selected and is the first server in the Selected Authentication Server list.

    4. If there are multiple servers, the authentication request will be forwarded according to the order configured in the Selected Authentication Server list.

    Test the RADIUS configuration

      1. Go to HTTP://<SF LAN IP>:8090 to view the Captive Portal login page. Enter the credentials and log in.


      1.  Do not close this window. Closing this window will log you out, and you will have to log in again. 

    1. If the user logs in successfully, they should appear in Authentication > Users.


    Taken from KB article https://community.sophos.com/kb/en-us/123164 

  • In reply to Aditya Patel:

    Thanks for your reply but unfortunately this isn't quite what I meant.

    I'm using the radius server happily to authenticate user portal, capture and firewall via auth agents.

    What I wanted was the fact that a user is authenticating to the SSID using his radius credentials. Why does he further have to authenticate with one of the above? Can the system not pick that up ?


  • In reply to Mark Spencer-Smith1:

    I have a similar question.  We have RADIUS servers authenticating users on Wi-Fi, and they are showing up properly on the firewall.  But the problem for us is when they disappear off the Wi-Fi, they don't disappear off the firewall.  The RADIUS authentication is happening on our Wi-Fi APs.  I've been told by Sophos Support that it's not possible to track and reconcile users based on this.  They've recommended buying Sophos APs.  I'm not entirely sure that's the right answer, but it's the one that Sophos Support has given me for now.  I'm continuing to investigate this.

  • In reply to Robert Park:

    I know this is an old thead. But i am seeing behavior similar. Radius sso authentication is working and users are showing up as live users. But if the wireless client leaves the wifi still seeing the user in the firewall. Did you find an answer to this? 

  • In reply to Jim Boothe1:

    Someone from our vendor support finally suggested something, though I can't recall the details.  I think it did fix the problem, though I did not do thorough testing to be sure, only cursory glances.  Before, I believe our RADIUS accounting was going through our firewall directly, whereas now it is going through our RADIUS servers?  Ah, I probably have it wrong.  I know that we were pointing something RADIUS in our AP settings at the firewall directly before, and now we're pointing them at our RADIUS servers instead.  Sorry, know that's not probably not good enough for you.  For some reason, I think it was the accounting?  https://xkcd.com/979/

  • In reply to Jim Boothe1:

    I think this is the article where they started getting inspiration.  https://community.sophos.com/kb/en-us/131580  It was such a long time ago, sorry.  One day, we'll get good at this documentation thing, I swear!  :)