Central Wireless with Radius Certificate Authentication

Hi,

we try to transfer our UTM-Customer with old AP-Models to Sophos Central Wireless with AP6.

The Customer uses Certificate based Authentication in combination with Windows Server 2019 Network Policy Service and Active Directory integrated Certificate Service.

We set up the new Access Point in Addition to the old ones and configured the network requirements (like VLAN and Interfaces) and named the New SSIDs with Test-WifiName. This is working for all WPA2 Personal Networks. For the internal WPA2 Enterprise Network, the Certificate authentication is not working. 

I can see the request in the Logfile but no Entry in Event Viewer if the reuest was granted or denied. In the Logfile the existing Request- and Network-Policies are processed for the Connection. But it seems like the Certificate is not transfered to Radius.

The Client settings coming by GPO wich is copied and cahnged to new SSID-Name. 

Somebody with the same environment or issue?

Thanks



Added TAGs
[edited by: Erick Jan at 1:22 PM (GMT -7) on 24 Sep 2024]
Parents
  • I am struggling getting AP6 accesspoints connected to a Windows 2022 server, too.
    In my case logging on the Windows Server was a bit weird configured, I couldn't see authentications on the NPS role.
    Firing "auditpol /get /category:*" in an elevated command prompt showed, that no Events were audited for the NPS role.

    Now I can see the authentications, but all are failing because of skipping the connection request policies and defaulting to the "Windows authentication..." policy that is placed on the bottom.
    I configured the connection request policies like I did with APX models, "client friendly name" the same the radius client was named, nas-porttype wireless (IEEE 802.11) and nas-identifier the serial number of the accesspoint.

    Eventlog shows

    NAS:
    	NAS-IPv4-Adresse:		172.20.200.81
    	NAS-IPv6-Adresse:		-
    	NAS-ID:					-
    	NAS-Porttyp:			Drahtlos (IEEE 802.11)
    	NAS-Port:				1
    
    RADIUS-Client:
    	Clientanzeigename:		PRAP6-420-01
    	Client-IP-Adresse:		172.xxxxxxx.81
    
    Authentifizierungsdetails:
    	Name der Verbindungsanforderungsrichtlinie:	Windows-Authentifizierung für alle Benutzer verwenden
    	Netzwerkrichtlinienname:		Verbindungen mit anderen Zugriffsservern
    


    Is there anything different with AP6 compared to APX series regarding NPS?

    My connection request policies:

    And my network policies:


    All was configured as usual following support.sophos.com/.../KBA-000004175

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Reply
  • I am struggling getting AP6 accesspoints connected to a Windows 2022 server, too.
    In my case logging on the Windows Server was a bit weird configured, I couldn't see authentications on the NPS role.
    Firing "auditpol /get /category:*" in an elevated command prompt showed, that no Events were audited for the NPS role.

    Now I can see the authentications, but all are failing because of skipping the connection request policies and defaulting to the "Windows authentication..." policy that is placed on the bottom.
    I configured the connection request policies like I did with APX models, "client friendly name" the same the radius client was named, nas-porttype wireless (IEEE 802.11) and nas-identifier the serial number of the accesspoint.

    Eventlog shows

    NAS:
    	NAS-IPv4-Adresse:		172.20.200.81
    	NAS-IPv6-Adresse:		-
    	NAS-ID:					-
    	NAS-Porttyp:			Drahtlos (IEEE 802.11)
    	NAS-Port:				1
    
    RADIUS-Client:
    	Clientanzeigename:		PRAP6-420-01
    	Client-IP-Adresse:		172.xxxxxxx.81
    
    Authentifizierungsdetails:
    	Name der Verbindungsanforderungsrichtlinie:	Windows-Authentifizierung für alle Benutzer verwenden
    	Netzwerkrichtlinienname:		Verbindungen mit anderen Zugriffsservern
    


    Is there anything different with AP6 compared to APX series regarding NPS?

    My connection request policies:

    And my network policies:


    All was configured as usual following support.sophos.com/.../KBA-000004175

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Children