Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 37 subscribers
  • Views 2479 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS SSO Dropping Authentication

Network Manager7

I have a problem with the RADIUS SSO where by when laptops and devices connect to the wireless it authenticates against the Windows NPS server which then forwards the accounting packets to the Sophos XG.

This works and users are able to connect and get the appropriate web filter level. However, as they move around site and jump from Access Point to Access Point they will randomly lose the Sophos Authentication and therefore lose internet.

I have check on the NPS server and can see in the Accounting Requests packets that it is receiving both a username and IP address.

I  am still however getting these errors in the access_server.log on the Sophos XG.

MESSAGE   Apr 22 10:31:29.916557 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:29.916600 [access_server]: handle_radius_account_req: received radius accounting with status  2
ERROR     Apr 22 10:31:29.916624 [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP BYODIPADDRESS (sqrs 101)
ERROR     Apr 22 10:31:29.916635 [access_server]: (handle_external_logout_req_finish_free): SQLITE_REQ_GETLIVEUSERINFO query failed
MESSAGE   Apr 22 10:31:36.750328 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:36.750351 [access_server]: handle_radius_account_req: received radius accounting with status  2
MESSAGE   Apr 22 10:31:38.276044 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:38.276087 [access_server]: handle_radius_account_req: received radius accounting with status  1
MESSAGE   Apr 22 10:31:39.027107 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:39.027126 [access_server]: handle_radius_account_req: received radius accounting with status  1
MESSAGE   Apr 22 10:31:39.027169 [access_server]: (handle_req_no_password): User 18oelks with clienttype 23 already live, ignoring the request
MESSAGE   Apr 22 10:31:40.377564 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:40.377606 [access_server]: handle_radius_account_req: received radius accounting with status  2
MESSAGE   Apr 22 10:31:43.796939 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:43.796962 [access_server]: handle_radius_account_req: received radius accounting with status  2
MESSAGE   Apr 22 10:31:46.146647 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:46.146669 [access_server]: handle_radius_account_req: received radius accounting with status  1
MESSAGE   Apr 22 10:31:46.373840 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:46.373863 [access_server]: handle_radius_account_req: received radius accounting with status  2
MESSAGE   Apr 22 10:31:46.558429 [access_server]: handle_radius_account_req:  request received from radius client NPSSERVERIP
ERROR     Apr 22 10:31:46.558464 [access_server]: handle_radius_account_req: received radius accounting with status  2


This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contacting the Sophos Community.

    Are you using Sophos Acess Points? Are you using Radius SSO or Radius accounting?

    I would check how the traffic is moving from your AP to the Radius server, meaning if the AP is in the same Management VLAN.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    It is using Ubiquiti UniFi Access Points, which send all authentication and accounting packets to a Windows 2019 NPS Server. the Windows NPS server then forwards the accounting packets to the Sophos XG. The NPS server is listed under Authentication - Services - SSO using RADIUS accounting request.

    I can confirm the traffic is hitting the NPS server correctly as it is authenticating and intermittently getting the filter from Sophos. I have also ran a Wireshark trace on the NPS server and can see that the RADIUS information is contained within the RADIUS packets. This information includes the Framed-IP Address as well as the username of the user.

  • 0 in reply to emmosophos

    Having done more testing, the issue seems to be when roaming between different access points.

    I can roam different AP's but when I seemingly get to the original AP I was connected to Sophos drops the authentication.

  • 0 in reply to Network Manager7

    Hello there,

    Thank you for the follow-up.

    I was suspecting the Framed-IP but you mentioned it’s being seen and sent.

    I would recommend you to open a Case ID, or if you already have one, share it with me.

    Please provide the logs of access_server in debug mode:

    # service access_server:debug -ds nosync

    The wireless.log and a pcap of the corresponding traffic.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML