This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius not working for one RED branch office

Hey there,

i have 3 REDs deployed and one HQ Firewall with 5 other branches connected through managed MPLS.

After exchanging the internet router at one RED branch the wireless authentication for the notebooks stopped working. This is only happening in this office.

I already working with a partner and Sophos on this but it does not seem that there will be a solution. We traced the packages to and from the RADIUS (Windows 2012 R2 NPS), which i migrated from a Win 2008 because Sophos said it has something to do with the RADIUS Server (how can it be the radius server if it works for 7 other offices?), but it just gets no accept.

There is also no log entry in the event log. The accounting log says "Everything OK! Access granted"

The RED has (now) an external IP from the router. The router has no firewall and the connection is stable.

We have the same configuration in another office in Vienna and there the wireless works fine.

I now have set up a Wireless with PSK but this cannot be the solution.

Anyone can help me with this? 

Best regards

Stephan



This thread was automatically locked due to age.
Parents
  • Hi Stephan,

    Please show us the picture of the configurations. Can you also show us a network diagram simply showing the remote office which is facing this issue and how is it connected to the UTM? Also, which wireless device is configured? 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Here is a simple network diagram. Nothing special.

    Here is the configuration of the RED

    Interface (DHCP is performed by the Domain Controller)

    In my opinion the problem is when performing the RADIUS EAP or PEAP with Certificate the whole certificate chain is sent.

    (Its somehow described here: http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/118634-technote-eap-00.html)

    But setting the Frame-MTU does not work. WireShark does not show fragmented IP packets anymore but it does not work. It either the RED interface or the router which cannot handle these packets.

    This it looks when i do not set the Frame-MTU. The Fragmented protocol vanishes if i set it .. but it does not work either.

  • Another important issue:

    When i authenticate from the HQ the certificate chain are not sent with the "Access-Challenge" and the packet does not get so big. I checked the "Access-Request" line for line but could not see anything different.

  • Stephan, in the opening post, you said, "There is also no log entry in the event log."  Do you mean the RADIUS log on the WinServer or ???

    Since you're using a Split tunnel, I have to ask if you've added the Magic IP, 1.2.3.4, to the tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    there is no entry in the event log of the Windows Server. Magic IP is added. If i delete the APs they are coming back ;)

    At the moment the last thing i/we can think of is that the new router must have something to do with it. I will travel there on the weekend and exchange it with another one (or do not attach it directly to the router). I cannot use the current user as bridge.

Reply
  • Hey Bob,

    there is no entry in the event log of the Windows Server. Magic IP is added. If i delete the APs they are coming back ;)

    At the moment the last thing i/we can think of is that the new router must have something to do with it. I will travel there on the weekend and exchange it with another one (or do not attach it directly to the router). I cannot use the current user as bridge.

Children
  • Hello everyone,

    it was the Swisscom Centro Business 2 Router which caused the problem. I now attached the Router to a Switch, where i created an untagged VLAN with 2 ports, and also the RED to this switch. And now it works.

    I don't know what the router is doing but it is doing it wrong.

    So case closed and solved

  • Hi Stephan,

     

    thanks a lot for the thread. Today I had the same issue with a Kabel-BW Router. I came to this thread by searching for "sophos "access-challenge" (found this in the packetcaptures).

     

    Someone facing this issue will maybe see something like this in the wireless.log:

    hostapd: wlan0: STA aa:bb:cc:dd:ee:ff IEEE 802.11: disassociated
    hostapd: wlan0: STA aa:bb:cc:dd:ee:ff IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
    hostapd: wlan0: STA aa:bb:cc:dd:ee:ff IEEE 802.11: authenticated
    hostapd: wlan0: STA aa:bb:cc:dd:ee:ff IEEE 802.11: associated (aid 1)
    awelogger[6055]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="MYSSID" ssid_id="WLAN1.0" bssid="aa:bb:cc:dd:ee:ff" sta="aa:bb:cc:dd:ee:ff" status_code="0"
    awelogger[6055]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="MYSSID" ssid_id="WLAN1.0" bssid="aa:bb:cc:dd:ee:ff" sta="aa:bb:cc:dd:ee:ff" status_code="0"
    hostapd: wlan0: STA aa:bb:cc:dd:ee:ff IEEE 802.1X: STA identity 'wlan'
    hostapd: wlan0: RADIUS No response from Authentication server 10.1.1.1:414 - failover

     

     

    Then I decided to adjust the REDs MTU on the interface in Webadmin to 1300. After I have done that, the issue was gone, all clients connected.

     

    This thread helped me to find the solution.

     

    Thanks a lot.