Central Wireless with Radius Certificate Authentication

Hi,

we try to transfer our UTM-Customer with old AP-Models to Sophos Central Wireless with AP6.

The Customer uses Certificate based Authentication in combination with Windows Server 2019 Network Policy Service and Active Directory integrated Certificate Service.

We set up the new Access Point in Addition to the old ones and configured the network requirements (like VLAN and Interfaces) and named the New SSIDs with Test-WifiName. This is working for all WPA2 Personal Networks. For the internal WPA2 Enterprise Network, the Certificate authentication is not working. 

I can see the request in the Logfile but no Entry in Event Viewer if the reuest was granted or denied. In the Logfile the existing Request- and Network-Policies are processed for the Connection. But it seems like the Certificate is not transfered to Radius.

The Client settings coming by GPO wich is copied and cahnged to new SSID-Name. 

Somebody with the same environment or issue?

Thanks



Added TAGs
[edited by: Erick Jan at 1:22 PM (GMT -7) on 24 Sep 2024]
Parents
  • I am struggling getting AP6 accesspoints connected to a Windows 2022 server, too.
    In my case logging on the Windows Server was a bit weird configured, I couldn't see authentications on the NPS role.
    Firing "auditpol /get /category:*" in an elevated command prompt showed, that no Events were audited for the NPS role.

    Now I can see the authentications, but all are failing because of skipping the connection request policies and defaulting to the "Windows authentication..." policy that is placed on the bottom.
    I configured the connection request policies like I did with APX models, "client friendly name" the same the radius client was named, nas-porttype wireless (IEEE 802.11) and nas-identifier the serial number of the accesspoint.

    Eventlog shows

    NAS:
    	NAS-IPv4-Adresse:		172.20.200.81
    	NAS-IPv6-Adresse:		-
    	NAS-ID:					-
    	NAS-Porttyp:			Drahtlos (IEEE 802.11)
    	NAS-Port:				1
    
    RADIUS-Client:
    	Clientanzeigename:		PRAP6-420-01
    	Client-IP-Adresse:		172.xxxxxxx.81
    
    Authentifizierungsdetails:
    	Name der Verbindungsanforderungsrichtlinie:	Windows-Authentifizierung für alle Benutzer verwenden
    	Netzwerkrichtlinienname:		Verbindungen mit anderen Zugriffsservern
    


    Is there anything different with AP6 compared to APX series regarding NPS?

    My connection request policies:

    And my network policies:


    All was configured as usual following support.sophos.com/.../KBA-000004175

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Update to this one: I changed the conditions for the connection request policies from "NAS-ID - Serial Number" to "ClientIPv4 - AP-IP" and it is working now.

    But it would be nice to know if that's a single case or if there is a difference for the AP6 models when connecting to an internal RADIUS compared to the APX models.

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Hello there,

    Thank you for contacting the Sophos Community.

    I have reached out internally to see if there’s any change in the way AP6 Radius authenticates compared to APX.

    I will update the thread once I hear back or by Wednesday Nov 27 End of the day.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data