Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 10310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG and Ubiquiti APs

Simcfc73

Hi,

 

I just found this, is the bottom solution still correct?

https://community.sophos.com/products/xg-firewall/f/authentication/91423/sso-radius-with-microsoft-nps-for-authenticating-wireless-ubiquiti-access-points

Here is my scenario

We recently switched over from Smoothwall+Ruckus to Sophos+Unifi for our Firewall/wifi solution.

In the previous config the user would log onto the guest WIFI (we are a school by the way) and get to a landing page where they would install the Smoothwall cert for HTTPS scanning. There was a link to the Ruckus logon page where the user logged on using there school username and password and the user would be authenticated against radius and put in the right filtering group. As far as I remember the setting Ruckus pointed to ADfor credential checking and then Smoothwall for radius accounting.

I would like to mirror this with Unifi and Sophos. but struggling.

I have radius setup and working with both Sophos and the Unifi controller (I cant see much logs on either of these to help me)

I've tried setting it up as previously but the user doesn't get put into groups, they get the Sophos logon page.

I've added all the access points and the controller and Sophos to the radius clients section on the windows server, when I do a test the logs in windows shows its successful.

What I have read I think I should point bot the radius and accounting to the windows server now which will then redirect accounting to the Sophos server to get its groups, I've tried both ways but neither work.

Can anyone help with some pointers please.. or if this is actually possible with these 2 vendors.

Any help would be appreciated



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Keyur

    So are you saying no third party can pass on accounting info to the firewall?

    Why does it have SSO using RADIUS accounting request in the authentication section then?

  • 0 in reply to Keyur

    I am not after authentication, I want accounting working.

    This is the same issue which says it should work.

    ...

  • 0 in reply to Simcfc73

    It should work.

    I would highly guess, your Radius Server is not forwarding the proper Accounting information.

    You need to dump the Traffic and check, if the Framed IP Packet is correct. 

  • 0 in reply to Simcfc73

    As mentioned the critical piece of this is if Unfi sends a standard FRAMED-IP-ADDRESS packet along with the user information, otherwise the XG will just see a user name and no associated IP address (I'm assuming you are using an NPS server for AD user authentication).

    I've had no problem getting this working on Meraki, Ruckus and Aruba - I've seen that Unfi doesn't (or didn't) send this information but that's based on an article that is a few years old. I'd be surprised if it didn't do that by now.

    Regards

  • 0 in reply to carbon15

    So is the framed packet that sophos gets coming from the radius server or the unifi box. I've tried setting it up inside unifi to point to radius for aith and sophos for accounting, and all pointing to radius.

    Am I looking at the sophos logs for the framed packets?

  • 0 in reply to Simcfc73

    This information is sent from the Ubiquiti AP's or WLAN controller, it is not added by the NPS server nor by the XG. You want to network sniff the accounting messages coming into the XG either from the CLI (tcpdump port 1813) or on a PC that mirrors the XG port, the accounting message is in clear text and easy to understand. If there's no a username and the IP address of their client this more than likely the issue.

    I've only ever set it up so that the authentication and accounting messages are forwarded onto the NPS server and in there set the forwarding of the accounting messages to the XG.

    Alternatively ask Unfi if their kit sends this information yet, I think it's pretty standard (and basic) stuff so there's no reason for it not too.

    There's a hard limit of 16 RADIUS Accounting hosts you can have on the XG, so you definitely want to forward as much as possible via a single point.

  • 0 in reply to carbon15

    Hi,

    I'm just revisiting this as I have a bit more time.

    I've dumped the that's being sent to the XG box from Unifi on port 1813

    Ethernet header
    Source MAC address:74:83:c2:7e:58:1f
    Destination MAC address: 7c:5a:1c:51:37:5c
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:192.168.100.12 (UNIFI)
    Destination IP address:192.168.100.1 (XG)
    Protocol: UDP
    Header:20 Bytes
    Type of service: 0
    Total length: 220 Bytes
    Identification:53993
    Fragment offset:16384
    Time to live: 64
    Checksum: 7625

    UDP Header:
    Source port:36429
    Destination port: 1813
    Length: 200
    Checksum: 6855
    Checksum: 5643

    There's no info about the user in this but the Hex & ASCII detail does show the username, the SSID and the mac address of the client... not the IP though.

  • 0 in reply to Simcfc73

    I'd urge you to check with Unfi to make sure there's nothing that needs to be done from that end - only the controller can add that field, I've not looked at an accounting packet recently but I'm pretty sure you can see the IP address in the hex decode.

    I've seen recently a site using Unfi working ok with RADIUS accounting (sent via NPS as they were authenticating their users via AD, then forwarded onto the XG).

    Regards

  • 0 in reply to carbon15

    Hi,

    Thanks for the reply. 

    I've asked the question of UNIFI, its on the latest update firmware so will wait for them to get back to me.

    I'm trying to get my head round so apologies if this is basic stuff.