Sophos Firewall: Configure RADIUS for Enterprise Wireless Authentication with Windows Server 2012

Overview

This article describes the required steps to set up Microsoft Windows Server Radius Authentication and the Sophos Firewall for wireless users.

Applies to the following Sophos products and versions
Sophos Firewall

Configure RADIUS on Windows Server

Note:

  • When the Sophos Firewall has its wireless network security mode set to WPA2 Enterprise, Windows NPS network policy with PEAP is required.
  • NPS network policy with EAP doesn't work for WPA2 Enterprise wireless network.
  • To configure PEAP, please see Configure Certificate Templates for PEAP and EAP Requirements.

Before installing and setting up the RADIUS on Windows Server, the Active Directory role must be set and configured.

The RADIUS Server is located under the Network Policy Server (NPS) panel, the Network Policy and Access Services role can be added from Server Manager > Add Roles and features on Windows Server 2012.

Follow the wizard as below:

Click Close and restart your server.

Look for Network Policy Server.

Go to NPS (Local) and right-click to select Register server in Active Directory.

Go to NPS (Local) > RADIUS Clients and Servers > RADIUS Clients and right-click to select New

Set the Sophos Firewall's IP address and the Shared secret. Take note of this shared secret to be used when configuring the Sophos Firewall later.

We need a connection request policy, go to NPS (Local) > Policies > Connection Request Policies and right-click to select New.

Follow the wizard as below. 

In the Specify Conditions page, click Add to add a condition.

Select Client IPv4 Address and click Add.

Insert the Sophos Firewall's IP address and click OK.

Once you click Finish, the Connection Request Policy should look like this.

We also need a Network Policy for connectivity testing between Sophos Firewall and the NPS, go to NPS (Local) > Policies > Network Policies and right-click to select New.

Insert the Sophos Firewall's IP address and click OK.

Disable the Less secure authentication methods already enabled by default and enable Unencrypted authentication (PAP, SPAP). This will be used only when testing the connectivity between Sophos Firewall and the NPS as we will see later. All wireless users' authentication will be through a different Network Policy using Microsoft Protected EAP (PEAP) as we will see later.

Finally, we need a Network Policy for Wireless users authentication, go to NPS (Local) > Policies > Network Policies and right-click to select New.

Follow the wizard as below.

In the Specify Conditions page, click Add to add a condition.

We need to add two conditions: NAS Port Type and User Groups.

In this example, we added the Domain Users group which includes all domain users. You can restrict the wireless users' group according to your business needs.

In the Configure Authentication Methods page, click Add to select Microsoft Protected EAP (PEAP) and click OK. This PEAP authentication method will be used to authenticate wireless users.

Disable the Less secure authentication methods already enabled by default.

Make sure that the Secure Wireless Connections policy is above the SFOS Connectivity testing to Radius policy, otherwise, wireless users will match the SFOS Connectivity testing to Radius policy and NPS will reject their access request.

The Network Policies should look like this. 

Note: You can add more conditions according to your business needs. As an example, the Day and Time Restrictions condition can be used to restrict access to certain days and times.

Go to Accounting and click on Configure Accounting.

Follow the Wizard to configure one NPS accounting option. In this example, we used Log to a text file on the local computer

Configure the Local File Logging as follows and click Next.

Verify the Summary and click Next.

The accounting is now configured, click Close to finish.

Configure Sophos Firewall

Go to Authentication > Servers and click Add. The Shared Secret is the same configured earlier in NPS, the Group Name Attribute is a mandatory field but has no match in NPS in this example, so we can set it to anything. Enable Enable Accounting so that Sophos Firewall will send login and logoff events to the NPS. 

Go to Authentication > Services to set the radius server on top of the list under Firewall authentication methods.

Go to Wireless > Wireless Settings.

Note: In SFOS 17.5 and above the ability to add a secondary RADIUS server, as a fallback for Enterprise Authentication has been added. Should the primary RADIUS server fail the secondary server will be used, granting zero downtime to authenticate.

Go to Wireless > Wireless Networks and click Add.

Go to Rules and policies > Firewall rules > Add firewall rule and select New firewall rule to create a rule from WiFi to WAN zones allowing traffic for Wireless users. Also, apply security profiles and controls according to your business needs.

Click Create linked NAT rule and configure according to the screenshot below.

Click Save and then Save also the firewall rule.

Results

Go to  Authentication > Servers to select the recently created RADIUS server and click on Test Connection. Enter a username of a user already in the Active Directory with its password and click on Test Connection.

The Test Connection should be successful.

Optionally, check the Event Viewer in Windows Server to verify which Connection Request Policy and Network Policy has been applied.

Now, have a Wireless user connect to the recently created SSID.

The user may ignore the certificate and click on Connect.

The user is now connected.

From the Sophos Firewall, go to Wireless > Wireless Client List to verify logged on users.

Optionally, check the Event Viewer in Windows Server to verify which Connection Request Policy and Network Policy has been applied.

To verify logon and logoff accounting events, you can install Wireshark on the Windows Server and filter the traffic to the configured port for accounting in Sophos Firewall, which is port 1813 in our example.

Also, you can verify the log file configured earlier in NPS accounting. In our example, it is in C:\Windows\System32\LogFiles.

Previous article ID: 132912