Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 39 subscribers
  • Views 7096 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius test failed

Josh Rogalski

I am setting up Sophos XG Wireless for the first time, and having some trouble with Radius.  I have a ticket open with Sophos support, but wanted to reach out to the community to get their take on the issue.  I followed the instructions by Sophos for setting up the Radius server on my DC, and adding it as an authentication mechanism under the "Services" settings for "SSO using RADIUS accounting request.  The test fails, but gives little information as to why.  Are there any logs I can transfer from the XG to give me more information on what I am missing in the radius setup?

Some of the settings I am not familiar with, such as "domain" which doesnt seem to show up in anyone else's screenshots.  Also do I need "NAS identifier" and "NAS port type"?

Error message that I get testing:



This thread was automatically locked due to age.
  • 0

    Hello Josh,

    Thank you for contacting the Sophos Community!

    The NAS identifier and the NAS Port type are additional, and not really need it, so I would recommend you to disable it.

    As per the log you can check, you would need to put the access_server.log in debug mode and then run the test again

    # service access_server:debug -ds nosync

    To stop debug mode just run the same command.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0

    Hi Josh

    In my experience the Sophos XG use unencrypted usename / password for the tests. In your RADIUS server in the authentication protocols enable CHAP/PAP iirc. Windows will pop up a warning message but just say yes. Run the test again for RADIUS authentication. You may have to try a couple of username format but it' mostly been successful with just a username

    If there are any more issues you'll have to check the logs on the RADIUS server. I even went so far as wireshark and capturing packets at the RADIUS server trying to get all of this working.

    Christopher

  • 0

    Hi Josh

    forgot about the NAS Identifier, yes you need that. It's the RADIUS client name and it must be the same

  • 0 in reply to Christopher Roots

    I enabled basically ALL the authentication methods on the radius server but still get the same problem.  Radius is a whole basket of confusing so I suspect it is something to do with a setting on the radius server itself.  One setting I don't know what to configure with is the "domain" box, is that needed?

  • 0 in reply to Josh Rogalski

    The "domain" box is not filled in ours, the "Group Name" box is though and it just using "DOMAINNAME\Domain Users" this should probably be reduced but Sophos XG groups are confusing and limited i've found.

    Nas Identifier and NAS port type are configured on our RADIUS auth server in Sophos.

    We use Windows 2019 NPS for our RADIUS and to get L2TP VPN working the Connection Request Policy Properties | Settings | Specify a Realm Name | Attribute has to be modified. The attribute to modify is User-Name. In Find use ^DOMAINNAME\\   Replace With: leave blank.

    It does work but my experience with Sophos and Windows RADIUS is that they are very pedantic in how they work together, there's no room for fudging or "close enough"  Oh, and i never got it to work on Windows 2012R2, only 2019, go figure......

  • 0 in reply to Christopher Roots

    I tried adding the settings for my domain similar to yours, but still no avail on the test.  I am also on Server 2019 so I was hopeful, but it is still a mess. I will keep trying, any other suggestions are certainly appreciated while I wait for Sophos Support.

  • 0 in reply to Josh Rogalski

    Yes, this one bit me badly. On out XG we have a number of vlan / ip addresses. The RADIUS requests always came from the port in the server vlan, not the XG's management address. 

    I was using the XG's actual IP address  (management IP) as the client address in NAP. It was Wireshark that showed no RADIUS packets were getting to the NPS server from this address. I was using the ip address of the XG in the RADIUS Clinet list 

    This is only for RADIUS on the Sophos XG and for L2TP on the Sophos XG, other NAS devices use their own IP address

    in short, check the ip address of the XG RADIUS Client in Windows NPS

    Keep trying, the duck will line up, it took me about 24 hours of billable time to get it working.........

  • 0

    After some work with Sophos Support we were able to get Radius working, almost all of the issues were on the Radius server side because it is an old confusing technology.  What we found is that you basically need a very basic Radius set up to get it going.  The "group name attribute" still confuses me, but we have it set to our domain without the qualifier after the "." and it is working.  If anyone else is having trouble with getting started, send me a direct message and I would be glad to share our settings/experience. 

Unfiltered HTML