Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 38 subscribers
  • Views 907 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up RADIUS Auth for Wireless

David Ashcroft

Hi all, looking for a little advice regarding RADIUS setup for our wireless network.

We are currently using Aerohive/Extreme for wireless. The system is cloud managed so we don't have any controller or management box onsite for this. I'll try to explain our setup a little.

We have two physical connections to our XG firewall, an inside interface and an outside interface.

Our wireless access points are on a management VLAN which is 1081 (10.8.12.0/22) which is tagged on the inside interface. DHCP is enabled on this VLAN and the Sophos XG controls this. We have a firewall rule that states anything on that VLAN can get out to the internet, along with a NAT rule. The APs connect to the network, receive an IP address from the XG and can get out to the internet to connect to the cloud management so this is all OK at this point.

Our guest network is just a standard SSID on a different VLAN which is also tagged on the inside interface of the XG. We can connect to thdis and internet works, IP addressing is correct and everything works great.

We also have a wireless network for our staff and students that works similarly to the guest network, however users authenticate using RADIUS, and this is where our issues comes in.

Ideally, I would like a user to authenticate to the SSID, the auth packets should be sent to the Sophos XG from the access point on VLAN 1081. The XG should then send the RADIUS auth request to the domain controller. The domain controller is on VLAN1 (172.16.0.0/16) which is also tagged on the inside interface of the XG.

I am convinced that I did get this working yesterday, but now I am not so sure. Essentially I want the XG to act as a relay for the RADIUS packets and send them on, but I am not sure if this is possible. Or if we can have the XG performing RADIUS auth itself to the DC.

If I do a packet capture on an access point, I can see the following happening:

2020-10-22 10:28:04
PortD1.1081
IPv4
10.8.15.239
10.8.12.1
UDP
57650,1812
0
0
Violation
Local_ACL

10.8.15.239 is the access point that is receiving the logon request from the client. The AP is setup to send RADIUS packets to 10.8.12.1 which is the 1081 VLAN for wifi management and should hit the inside interface on the XG. It is then showing a violation for Local_ACL. Not sure if I can rectify this?

Thanks.



This thread was automatically locked due to age.
  • 0

    Hi David

    As I understand it, the RADIUS server is on your DC. In this case, did you try to configure the AP to send the packets directly to the IP of the RADIUS server instead of entering the IP of the XG? To do this, set up a firewall rule allowing this connection and testing.

Unfiltered HTML