Radius Authentication over SD-WAN

IanR222 said:

Suggestion for Sophos: for Source/Destination Networks, it would be useful to have a "System Generated" option, so it can be allowed over specific SD-WAN routes

Great Idea! 

Thank you, that worked, it means that the firewall now has to control what traffic is allowed down the SD-WAN route rather than the route itself.

Suggestion for Sophos: for Source/Destination Networks, it would be useful to have a "System Generated" option, so it can be allowed over specific SD-WAN routes

Hello IanR222 ,

Thank you for the update. I suggest using the static route for now. 

To understand it further, which scenario is hitting. We may need your network diagram with the connectivity details along with the packet captures to identify which condition is being hit from the above mentioned KBA.

You seems to have pointed the correct option, however, I suspect any of below seems to be the case in your scenario

1: One WAN interface (default gateway) or static route is necessary for PBR to work for system-originating traffic. You need the WAN interface (default gateway) or static route for proxy traffic match in the reply path

OR 

2: The SD-WAN policy route (policy-based route) that has higher precedence than the VPN policy route based on the route_precedence configuration will be disregarded by system-originating traffic if a match with the latter policy is made. Sophos Firewall will not follow the route precedence in such a scenario. However, if the system-originating traffic matches a static route, it will apply the route precedence configuration between the static and VPN routes or between static and SD-WAN policy routes.

Also, like dirkkotte mentioned, select source as any in SDWAN route and help us with the output.

ok, but firewall-traffic has no defined "source".
Try with "destination" only. (like used in static routes too)

SD WAN is Local Network (x.x.x.0/24) and destination is Remote network (x.x.y.0/24)

Services are Any Service 

Works perfectly from anything local apart from the router, to anything remote including the remote router and vice versa, so both local and remote routers know that path for reply traffic, but cant process system-generated-traffic 

Your SD-WAN route configuration only contains the target network as a parameter? (no source, no service)

Its RED VPN (Firewall to Firewall) that the SD-WAN is configured over.

Its more fundamental than just radius server port, its the system-generated-traffic not being routed over the SD-WAN (as demonstrated above by adding static routing which then directs the traffic) 

I have been through that list, and I am not sure which scenario I would be hitting in that KBA as I am not running any enabled proxy within SF-FW, or am I miss understanding the proxy term there?

The requirement for "One WAN interface (default gateway) or static route is necessary for PBR to work for system-originating traffic" is met as I have one WAN interface with the default gateway.

As suggested I have tried a static route, and I can then ping from whichever end has a static route enabled, and the radius authentication then passes its tests.

Thanks

Ian 

Hi Mayur Makvana,

which condition exactly do you mean?

I would check where (which interface) the authentication packets leave the firewall.
(packetcapture with filter host=Radiusserver and port=radiusport)

Do you use IPsec RB-VPN for SD-WAN?

Can you show us your sd-wan-routing definition?