This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Radius over VPN Problem

Good morning,

 

i've got the following situation:

 

in our Headquater, we've got a Sophos SG230 and a Microsoft Windows 2016 Server runnning NAP for RADIUS Authentication.

In addition, I have also activated Active Directory authentication so that users can log in to the portal.

I've configured the Radius Authentication in Sophos UTM and it's beeing used by Wireless Protection to authenticate the Users.

Everything works fine. The User could login at Sophos UTM Portal and they can connect to the wireless Lan using the Windows Login credentials.

 

At branch office site, we've a SG125.

I have also activated Active Directory authentication and Radius authentication here.
Both locations are connected via SSL VPN. The rule between the locations is an ANY rule - so all ports are open.
Active Directory authentication runs without problems. Users can also log on to the SG125 portal with their Windows access data.
However, the radius authentication does not work.
The test to check the server settings already fails.
I don't see any inquiries arriving at the Radius server.
Does anyone have an idea why the requests do not arrive at the Radius server although the ActiveDirectory requests arrive? (It is the same server)
 
When i try to test the settings in SG125 i got: Error: timed out waiting for packet
 

 

 


This thread was automatically locked due to age.
  • Hallo Christoph - your first post - welcome to the UTM Community!

    Please show pictures like the following for the RADIUS server in both locations:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here the Screenshot from Headoffice

    The RADIUS Server is in the local Network - when i hit the Test button - the test passed successfully

     

    Here the Screenshot from the branch office

    when i hit the test button here, i get the Message that there is an error - timed out waiting for packet.

    The VPN Tunnel beetween these two sites is connected an there is an any - any rule so that there shouldn't be any problems.

    My guess is, that when the branch office UTM tries to connect to the Adress 10.50.2.1 it uses the public Adress and / or don't send the data over the VPN Tunnel.

  • your last sentence is correct I think.

    Use a SNAT to your LAN address for access to 10.50.2.1

  • Hey, i tried your tip but it doesn't work.

    i made a SNAT Rule on the Branch Firewall

    Traffic from: any
    Service: any
    Destination to: 10.50.2.1

    Change the Source to: 10.50.1.1 (internal Adress from the Firewall)

    I checked the logs on the NPS Server. The requests came from the 10.242.2.6 - its the Adress from the SSL VPN Tunnel.

    Do you perhaps have another idea how to manipulate the Adress?

  • Hallo Christoph,

    For both sites, please show pictures of the Edits of the IPsec Connection, Remote Gateway and the 'Preshared Key Settings' on the 'Advanced' tab'.  Also tell us if either UTM is behind a NATting router and so doesn't have a public IP on its External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey,

     

    i'm Using SSL VPN.

    We've got many sites. When i would use IPSec, i would have to build up many tunnels instead of using one SSL Tunnel.

  • I'm confused about this, Christoph.  I agree with papa_ that it's a routing problem.

    A picture of a hand-drawn diagram of devices with IPs would help.

    So the two locations are connected by a site-to-site tunnel?  Please show the Edit of the Server side of the SSL Connection and identify which site is the Server.

    If you are also using SSL Remote Access, also show the Edit of the Remote Access Profile and identify the site that is being connected to.  Also tell us if both sites have SSL VPN Remote Access active.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey,

    i tested a few more things an found out, that the Request reaches the NPS Server from the IP Adress 10.242.2.7 - this is an Adress from the SSL-VPN Pool.

    So it seems to be a NAT Problem.

  • Christoph, please show a picture of the Edit of the Server side of the SSL Connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA