Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 12 replies
  • Subscribers 40 subscribers
  • Views 1557 views
  • Users 0 members are here
Options
Suggested

Radius Authentication over SD-WAN

IanR222

I have radius authentication working locally from the Sophos Firewall to the local radius server for both VPN and for WiFi authentication, however I am unable to get the authentication working from the Sophos Firewall to another radius server at a remote location over the SD-WAN link.

The SD-WAN link is working perfectly from any PC on the network and they can reach the remote Sophos Firewall, and anything on the remote network and vice-versa (including ping).  If I try to ping from the local Sophos Firewall to the remote network (Diagnostics page, or advanced console) I get 0 replies.

I have checked the configuration and both routing System-generated traffic and reply packets over the SD-WAN are enabled.

Any ideas on why I am not getting system generated traffic over the RED tunnel/SD-WAN?

Version: v20.2 Home - then updated to  v21 GA home

Thanks in advance

Ian



Added TAGs
[edited by: Raphael Alganes at 12:21 PM (GMT -7) on 22 Oct 2024]
Parents Reply
  • 0 in reply to Mayur Makvana

    I have been through that list, and I am not sure which scenario I would be hitting in that KBA as I am not running any enabled proxy within SF-FW, or am I miss understanding the proxy term there?

    The requirement for "One WAN interface (default gateway) or static route is necessary for PBR to work for system-originating traffic" is met as I have one WAN interface with the default gateway.

    As suggested I have tried a static route, and I can then ping from whichever end has a static route enabled, and the radius authentication then passes its tests.

    Thanks

    Ian 

Children
  • 0 in reply to IanR222

    Hello  ,

    Thank you for the update. I suggest using the static route for now. 

    To understand it further, which scenario is hitting. We may need your network diagram with the connectivity details along with the packet captures to identify which condition is being hit from the above mentioned KBA.

    You seems to have pointed the correct option, however, I suspect any of below seems to be the case in your scenario

    1: One WAN interface (default gateway) or static route is necessary for PBR to work for system-originating traffic. You need the WAN interface (default gateway) or static route for proxy traffic match in the reply path

    OR 

    2: The SD-WAN policy route (policy-based route) that has higher precedence than the VPN policy route based on the route_precedence configuration will be disregarded by system-originating traffic if a match with the latter policy is made. Sophos Firewall will not follow the route precedence in such a scenario. However, if the system-originating traffic matches a static route, it will apply the route precedence configuration between the static and VPN routes or between static and SD-WAN policy routes.

    Also, like  mentioned, select source as any in SDWAN route and help us with the output.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML