RADIUS Auth Fails with new XG Hardware

Hello,

I had a pair of XG330's on V18.0.4 MR-4 running in HA (Active-Passive) with 2 x AP55c AP's.  One device failed and this was replaced by Sophos with an RMA.

During this time I removed the HA config on the remaining XG330. When the replacement hardware arrived, I patched it to the same firmware level and restored the configuration from the current "live" device.  Over the weekend I patched my switches / servers and WAN link into the new XG330. Everything came up and worked except the RADIUS authentication to my Windows 2019 Server. The previous configuration has been working for 2.5 years.

The new XG330 is running as standalone, it's not under HA as yet.

I have 2 wireless SSID's:

  1. One that uses WPA2 with a password for non-company devices.
  2. The second uses RADIUS authentication for Domain joined laptops.

I can connect to the standard WPA2/Password without issues.

I can not connect to the RADIUS Authenticated SSID. I have logged a ticket with Sophos support, but all they gave me on the remote session was the article to configure RADIUS for server 2012. I have looked at the Server 2016 article as well. 

We can see in the windows event log that the user is trying to authenticate but is failing.

Is there something in the certificate that you have to crate with the Sophos RAIUS setup that includes the S/N of the XG330?

Does anyone know what else I should be looking into?

  • An update to how we resolved the issue.

    It turns out it wasn't the replacements XG330's issue, it was a configuration change on the MTU for the LAG between the XG330 and the Switch.

    As part of the deployment of the new XG we also changed the core network switches (Juniper) to 10GB.

    • I changed the Sophos LAG to run a MTU of 9000
    • The Juniper switch also ran MTU 9000 for the 10GB LAG Ports.
    • The 1GB ethernet Juniper ports were still set at MTU 1514 for the ESX Host.
    • The ESX Host's vSwitch MTU was still set at MTU 1500.
    • The Windows AD server still had standard MTU 1500.

    Following the Windows event log ID issues, we found an article that pointed us to add a setting in the RADUIS server for MTU size:

    • Policies / Network Policies
    • <Policy Name>
    • Settings / RADIUS Attributes / Standard
    • Framed-MTU = 1344

    Once we added the MTU setting into the RADIUS, WiFi worked straight away.

  • Thank you for your detailled solution and description of the issue. We also use RADIUS for Wifi VLAN assignment and hope I remember your post when we ever face issues like that after changing MTU.