This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem setting up WPA2-enterprise Wifi

Hi everybody,

I've got some difficulties setting up a Wifi access with 802.1x authentication. My setup consists in a XG330 firewall and APX120 access points.

I've followed these 2 guides:

- https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122559/sophos-xg-firewall-wireless-and-radius-authentication-on-windows-server-2016

I've got a MS CA configured on a W2016 server and a NPS Server on the same machine.

CA template is configured as stated by MS here:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

NPS server auto-enroll a certificate based on this template, and this certificate is present in the machine certificate store of the NPS server.

Connection test from radius XG interface is successful, and is logged on the NPS server. But when I try to connect a laptop to the SSID, it ends with an error 23 on the XG side, and nothing is logged on the NPS.

Can someone point me to the correct way to solve this problem?

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 4 years ago in reply to Christian Fournier +1 verified

Try static - Sdwan VPN

Parents

0 Ben@Network over 4 years ago
Hello Christian,

you can 'tcpdump' the traffic between your XG and the NPS Server (XG/Advanced Shell):

tcpdump -i any udp port 1812 -vv

With this tcpdump you see the RADIUS communication. To get better logs (in windows security log) you can use this command on NPS Server:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Regards,

Ben
format
[edited by: Ben@Network at 7:52 PM (GMT -7) on 31 May 2021]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Ben@Network over 4 years ago
Hello Christian,

you can 'tcpdump' the traffic between your XG and the NPS Server (XG/Advanced Shell):

tcpdump -i any udp port 1812 -vv

With this tcpdump you see the RADIUS communication. To get better logs (in windows security log) you can use this command on NPS Server:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Regards,

Ben
format
[edited by: Ben@Network at 7:52 PM (GMT -7) on 31 May 2021]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Christian Fournier over 4 years ago in reply to Ben@Network

Hi Ben,

tcpdump between my XG and NPS server:

09:18:15.417209 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:15.417321 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:15.417323 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:18.418533 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:18.418568 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:18.418576 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:19:43.492897 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:43.493007 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:43.493009 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:46.493881 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:46.493891 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:46.493894 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218

172.16.0.80 is the access point, 172.16.0.3 is the XG firewall and 172.16.0.17 is the NPS server. We can see that Access-Request are sent to the NPS server.

But nothing more on the NPS side logs, even if detailed logs are enabled.

0 LuCar Toni over 4 years ago in reply to Christian Fournier

Check the wireshark dump on the NPS Server, if the firewall blocks it on the server itsefl
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 4 years ago in reply to LuCar Toni

Hello Toni, unfortunately there's no firewall on the NPS server. We are checking what's happening with Wireshark.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 4 years ago in reply to Christian Fournier

Hi Toni, we've got this setting:

NPS 172.16.0.17-----------LAN 172.16.0.0/16------------ Port1 [XG in Bridged mode 172.16.0.3]Port3-------------- 172.16.0.1 Corporate router --------- WAN

When testing radius with the button in XG interface, everything is OK, UDP 1812 packets flow through port 1 to the NPS server (checked with Wireshark).
When testing with a laptop, the XG tries to send the UDP packets through port 3, and nothing is received by the NPS server... Why is it acting like this ?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Christian Fournier

Can you show us your SD-WAN Config page in SFOS?
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 4 years ago in reply to LuCar Toni

Of course:
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 4 years ago in reply to Christian Fournier

There is another wan access, not bridged through port2
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Christian Fournier

What is your current routing priority. You see this on the top of this screen.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 4 years ago in reply to LuCar Toni

Current priority routing is : SD-WAN, VPN routing, static
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni over 4 years ago in reply to Christian Fournier

Try static - Sdwan VPN
Cancel
Vote Up +1 Vote Down

Cancel