Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 4433 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS+UniFi Windows NPS Authentication

Mohammed Jaz

Hi,

I have radius server working fine with no issues(Without Firewall Integration),i have my lab setup as follows
Perimeter Firewall(SOPHOS) working as DHCP IP distributor
HP Switches(VLAN concept configured)
UnIfI Access point
Windows AD + DNS in a server
Windows NPS + ADCS in another server

I created a self signed certificate,configured my UniFi AP,Firewall and HP Switch accordingly to distribute IP base on Corporte Network
and Guest users it is working fine with no issues, since UniFi do not have the option of "Simultaneous Login Restriction" for which i opt to configure using Firewall,
I added my Radius Server Details in my firewall under "Authentication--->Server & Services options, also in NPS server under RADIUS Client i added my Firewall IP which
is 192.168.172.1 and my UniFi AP IP is 192.168.172.55(Static IP) the "Test Connection" in firewall too got succeeded when the user tries to connect the WiFi SSID of my UniFi
it halts with "Authentication Pending" when checks the NPS EventLog it shows "Event ID 13: A RADIUS message was received from the invalid RADIUS client 192.168.172.55" can anyone please help me to complete this.



This thread was automatically locked due to age.
  • 0

    Try to complete this setup like this KBA: https://community.sophos.com/kb/en-us/127328

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the reply, following that article only setup the Firewall and NPS, when connects the WiFi receives the error "Received from Invalid RADIUS Client" which shows my AP IP.

    As explained above i am using UniFi Access Point which IP is already exists in my SOPHOS Firewall, In UniFi AP configuration under RADIUS option i entered my RADIUS Server IP, i don't know if i speculate right, under AP RADIUS Server Details instead of RADIUS server IP should i give my Firewall IP???

    Attached Pictures are for reference.

  • 0 in reply to Mohammed Jaz

    I am not quite sure about the Client, but the Radius Client should be the XG firewall. 

    Do you have a contact to UniFi to get this checked by UniFi? 

    Found an old post in Sophos Community about the framed IP, but this should only be necessary for Radius Accounting. 

    https://community.sophos.com/products/xg-firewall/f/authentication/91423/sso-radius-with-microsoft-nps-for-authenticating-wireless-ubiquiti-access-points

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes i checked with UniFi support but my bad luck, the support person instead of saying any clue just said they are not supporting for 3rd party device!

    I configured according to previous shared article unfortunately in that article there is no point of any AP configuration such that to understand how the setup completely configured.

  • 0 in reply to Mohammed Jaz

    Are you capable of analyse tcpdumps in wireshark ? 

    It would be possible to dump those Radius Requests into one tcpdump, download this dump and check out the dump in wireshark.

    Afterwards you would be able to simply google the outcome of those invalid Radius requests to get a clue about, what is going on. 

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    Unfortunately i do not have any Radius framed infrastructure to give you any hint, but the process above would be my way to go to get a better understanding, what is going on. 

    __________________________________________________________________________________________________________________

  • 0

    Hi,

    Have you setup Connection Request Policies for Wireless Connection? 

    I also made my RADIUS auth following by this guide and everything works. For sure to connect my XG to user RADIUS auth I have my XG as a RADIUS Client and each of Unifi AP as a RADIUS Client. 

    Here my auth conditions:

     

    For sure when Sophos is a RADIUS Client you could only auth user on XG not a Unifi (directly to WiFi), Unifi have to have own config on server as you mention on the screens. 

  • 0 in reply to ChrissBook

    Hi,

    Have you setup Connection Request Policies for Wireless Connection? 

    I also made my RADIUS auth following by this guide and everything works. For sure to connect my XG to user RADIUS auth I have my XG as a RADIUS Client and each of Unifi AP as a RADIUS Client. 

    Here my auth conditions:

     

    For sure when Sophos is a RADIUS Client you could only auth user on XG not a Unifi (directly to WiFi), Unifi have to have own config on server as you mention on the screens. 

     

    Thanks for the reply, when i enable both UniFi-AP, Sophos XG as Radius client and configure the NAS Port Type to Wireless - Other OR Wireless IEEE 802.11, wifi gets connected successfully, i doubt which one is authorizing here firewall or AP???

    The major purpose of this setting is to "Restrict Simultaneous Login Authentication" using Sophos XG since UniFi do not have such option.

Cookie Information Banner