Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 5137 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Server 2012 NPS, Radius SSO Accounting Messages

Oliver Rick

Hi

I've setup Radius authentication according to this KB: https://community.sophos.com/kb/en-us/127328

Wireless authentication works without any problems.

But i've also checked: "Accounting" and set the port to 1813

In my NPS I've setup a Radius Server Group and set : send accounting messages to <IP of Sophos XG>, port 1813. I've changed the Connection Policy to forward accounting messages to my Radius Server Group (Sophos XG). But my Sophos XG does not receive any accounting messages. I've installed wireshark on the server which is Running NPS. There is no traffic on port 1813 udp. 

What can i do to receive accounting messages?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    First of all i'll try to give you some more detailed information about my setup:

    I use Radius Enterprise Authentication for my Wireless Clients:

     

    Here are my Radius Settings:

    The Server IP is pointing to my Windows Active Directory Server. On that Server i've setup Network Policy and Access Services Role as descripted in the link above.

     

    My wireless users can now successfully authenticate them selfs with their Active Directory Username + Password if they connect the first time to the SSID. 

     

    But if i enable "Match known users" in my firewall rule. The Wireless Clients can't connect to the internet and i don't want them to use the captive portal because - in theory - they are already authenticated via Radius / WPA2 Enterprise. 

    In my understanding the checkbox "Enabled accounting" should work as a single sign on mechanism when somebody connects to the ssid?

     

    I've also added the Radius Server as a Firewall authentication method. 

     

    So my first question is:

    How can i do such a single sign on for my wireless clients, so that i can use "Match known users" in my firewall without a captive protal?

     

    Second question:

    Under "Services" i find "SSO using Radius accounting request". Is there something i need to configure too?

     

     

    My Access Points are Sophos AP100

Reply
  • 0

    Hi,

    First of all i'll try to give you some more detailed information about my setup:

    I use Radius Enterprise Authentication for my Wireless Clients:

     

    Here are my Radius Settings:

    The Server IP is pointing to my Windows Active Directory Server. On that Server i've setup Network Policy and Access Services Role as descripted in the link above.

     

    My wireless users can now successfully authenticate them selfs with their Active Directory Username + Password if they connect the first time to the SSID. 

     

    But if i enable "Match known users" in my firewall rule. The Wireless Clients can't connect to the internet and i don't want them to use the captive portal because - in theory - they are already authenticated via Radius / WPA2 Enterprise. 

    In my understanding the checkbox "Enabled accounting" should work as a single sign on mechanism when somebody connects to the ssid?

     

    I've also added the Radius Server as a Firewall authentication method. 

     

    So my first question is:

    How can i do such a single sign on for my wireless clients, so that i can use "Match known users" in my firewall without a captive protal?

     

    Second question:

    Under "Services" i find "SSO using Radius accounting request". Is there something i need to configure too?

     

     

    My Access Points are Sophos AP100

Children