Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Radius Authentication to Admin Interface Fails Despite Valid Test


I am still relatively new with Sophos products. I've got a Radius server set up to authenticate users to the admin interface, but it's not working. I've reviewed the documentation several times and am unable to determine what I'm missing. I feel like there's one piece that I haven't enabled, yet I cannot find it.

This is on a Sophos XGS116 running SFOS 19.5.3 MR-3 Build 652.

I went to Authentication -> Servers and

  1. Added a new authentication server - type RADIUS
  2. Provided a name
  3. IP address
  4. Authentication port (1812)
  5. Timeout is set to 3 seconds
  6. Accounting is not enabled
  7. Shared secret specified
  8. Domain Name is blank - this Radius server is not IAS and is not configured with Active Directory - it's a Steel Belted Radius server that's using a local database
  9. Group Name Attribute is set to "Filter-Id" (without the double quotes)

When I select Test connection, I see "Device-RADIUS server connectivity test was successful"

Next, I went to Authentication -> Services

Under Administrator Authentication Methods, I have both Local and the Radius server selected
Dragged and dropped the order of the auth servers such that the Radius server is first in the list

I attempted to log in with the same credentials I used when testing the connection.

I ran a policy trace on the Radius server and can see the Access Request from the Sophos appliance, along with an Access Accept and I can see the value I have set for "Filter-ID" sent back as part of the Access-Accept message.

Can someone please advise?

Thanks in advance!

Added V19.5 MR3 TAG
[edited by: Erick Jan at 7:31 AM (GMT -7) on 2 Oct 2023]
Parents Reply
  • Hi  ,

    Let me explain current behaviour of XG with external Authentication server. This will help you co-relate things in your setup and fix it.

    XG doesn't support Administrative user creation on the fly after authenticated via external Auth server. (except Azure AD SSO)
    Webadmin need administrative user permission to access it.

    Here no need to create local user manually.
    You can login userportal with same radius user so user copy created automatically in local database after successful login.
    Go to XG (Authentication->Users), Promote this user to administrative and select profile whatever you want and save it.
    Now onwards, this user have administrative permission so user can access Webadmin Portal.

No Data