WiFi with RADIUS Server behind VPN Tunnel

Question

Hello Community, 
 I have a Sophos XG with firmware 18GA-379, an APX320 and a VPN tunnel to a Windows NPS server for Radius authentication. The configuration I have done is as described in the article, except that the WLAN is configured "Bridge to AP-LAN": https://community.sophos.com/kb/en-us/122790 
 Unfortunately the whole authentication does not work. At the other end of the VPN tunnel is a Sophos UTM Firewall. When a client tries to connect to the WLAN I can't see any radius requests with a tcpdump on the UTM. The counter test, when I click on "Test Connection" in the Radius configuration on the Sophos XG, I see requests to the Radius server and corresponding responses in the tcpdump. 
 When setting up a Radius server behind a VPN tunnel, are there any special settings to make? 
 Thanks, 
 Ben

Ben@Network · Accepted Answer

Hi H_Patel,

Switching on the "client authentication" for VPN zone does not change anything.

After I added the "system ipsec route" and "sys-nat-traffice" it works.

console> system ipsec_route add host <my_nps_server_ip> tunnelname <my_Tunnel_to_nps>
console> set advanced-firewall sys-traffic-nat add destination <my_nps_server_ip> snatip <my_site_firewall_ip>

Thanks for your hints,

Ben