Authenticate User over Access Point

Jonas,

yes you can. Follow this KB:

https://community.sophos.com/kb/en-us/122790

Regards

Sorry, this one is more updated

https://community.sophos.com/kb/en-us/132912

I don't have Sophos APs...

Radius can be used to authenticate users.

Put the AP on another network and use that network as source in the firewall rules and make sure you enable the authentication as described in the last KB I posted.

I don't understand what you mean.

The Wireless settings won't apply to my scenario because I'm using Cisco Access Points. They don't integrate with the XG! ...as far as I'm aware

You cannot use Cisco AP with XG under the Wireless protection, create SSID and so on. You need to manage them, make sure they are on a separated network, so in XG you can use the separated network as source in firewall rules and use the radius authentication.

If the AP use the same IP addresses as your LAN or any other network, you cannot split cabled users and wi-fi users.

Hope this helps!

I don't want to split the Networks or the users.

I want to create a Rule on the Firewall that will allow an Authenticated user (administrator) to access my Server Network which is split of from the Client Network. The APs are all connected to the Client Network. I want all Client devices in the same pool connected to the same AP but allow only the admin user access to my Server Network.

I could setup radius authentication on the accesspoint itself but i don't think the userrule on the firewall would apply to users that authenticated on the AP itself.

If the cabling Ip and wi-fi IP are the same, you cannot split.

XG does not understand if the IP is a Wi-Fi or coming from a desktop connected to a switch.

You can allow administrators only to access the server network by enabling "match known users" on the firewall rule and putting this rule at the top. If the user is not an administrator, the access to server network will be denied. Keep in mind that administrators will be able to access from Wi-Fi and cabled computers independently if you use this approach.

Could you describe how you would set it up. I don't think I understand what you mean.

Jonas,

what you need to do is:

• configure the AP to have an IP inside a LAN managed by XG
• configure the Wi-FI on Cisco with WPA3 and so on
• configure the AP so users that connect on the Cisco AP get an IP in the same subnet of the XG interface you chose for the AP
• create a firewall rule from the zone of the XG interface chose to the zone and network where the servers are located
• on this firewall rule, enable the "match know users" with the users that are allowed to access the servers

Regards

Jonas,

what you need to do is:

• configure the AP to have an IP inside a LAN managed by XG
• configure the Wi-FI on Cisco with WPA3 and so on
• configure the AP so users that connect on the Cisco AP get an IP in the same subnet of the XG interface you chose for the AP
• create a firewall rule from the zone of the XG interface chose to the zone and network where the servers are located
• on this firewall rule, enable the "match know users" with the users that are allowed to access the servers

Regards

Another approach is using Radius Accounting.

Using WPA Enterprise via Radius and the framed IP, you could actually get all the information by your Access Point as live users.

https://community.sophos.com/kb/en-us/127328

Your Access Point needs to support Framed IP. https://tools.ietf.org/html/rfc2865

You need to find out, if so. 

Afterwards you need a Radius Server. 

The Radius server will redirect your Accounting packets to XG. XG  can pick up the framed IP + User name and authenticate those users. 

Sounds like you dont have a radius server. The AP will most likely have a radius "Client". So you need a radius server (NPS?) 

Thats exactly what I need. How would I go about doing that?

I already have a radius server.

Did you try this KBA? https://community.sophos.com/kb/en-us/134148