Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 2327 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem setting up WPA2-enterprise Wifi

Christian Fournier

Hi everybody,

I've got some difficulties setting up a Wifi access with 802.1x authentication. My setup consists in a XG330 firewall and APX120 access points.

I've followed these 2 guides:

- https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122559/sophos-xg-firewall-wireless-and-radius-authentication-on-windows-server-2016

- https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122559/sophos-xg-firewall-wireless-and-radius-authentication-on-windows-server-2016

I've got a MS CA configured on a W2016 server and a NPS Server on the same machine.

CA template is configured as stated by MS here:

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

NPS server auto-enroll a certificate based on this template, and this certificate is present in the machine certificate store of the NPS server.

Connection test from radius XG interface is successful, and is logged on the NPS server. But when I try to connect a laptop to the SSID, it ends with an error 23 on the XG side, and nothing is logged on the NPS.

Can someone point me to the correct way to solve this problem?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Christian,

    you can 'tcpdump' the traffic between your XG and the NPS Server (XG/Advanced Shell):  

    tcpdump -i any udp port 1812 -vv

    With this tcpdump you see the RADIUS communication. To get better logs (in windows security log) you can use this command on NPS Server:

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

    Regards,

    Ben



    format
    [edited by: Ben@Network at 7:52 PM (GMT -7) on 31 May 2021]
  • 0 in reply to Ben@Network

    Hi Ben,

    tcpdump between my XG and NPS server:

    09:18:15.417209 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:15.417321 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:15.417323 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:18.418533 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:18.418568 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:18:18.418576 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x03 length: 218
09:19:43.492897 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:43.493007 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:43.493009 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:46.493881 br01, IN: IP 172.16.0.80.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:46.493891 br01, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218
09:19:46.493894 Port3, OUT: IP 172.16.0.3.41730 > 172.16.0.17.radius: RADIUS, Access-Request (1), id: 0x04 length: 218

    172.16.0.80 is the access point, 172.16.0.3 is the XG firewall and 172.16.0.17 is the NPS server. We can see that Access-Request are sent to the NPS server.

    But nothing more on the NPS side logs, even if detailed logs are enabled.

  • 0 in reply to Christian Fournier

    Check the wireshark dump on the NPS Server, if the firewall blocks it on the server itsefl

  • 0 in reply to LuCar Toni

    Hello Toni, unfortunately there's no firewall on the NPS server. We are checking what's happening with Wireshark.

  • 0 in reply to Christian Fournier

    Hi Toni, we've got this setting:

    NPS 172.16.0.17-----------LAN 172.16.0.0/16------------ Port1 [XG in Bridged mode 172.16.0.3]Port3-------------- 172.16.0.1 Corporate router  --------- WAN

    When testing radius with the button in XG interface, everything is OK, UDP 1812 packets flow through port 1 to the NPS server (checked with Wireshark).
    When testing with a laptop, the XG tries to send the UDP packets through port 3, and nothing is received by the NPS server... Why is it acting like this ?

  • 0 in reply to Christian Fournier

    Can you show us your SD-WAN Config page in SFOS? 

  • 0 in reply to Christian Fournier

    There is another wan access, not bridged through port2

  • 0 in reply to Christian Fournier

    What is your current routing priority. You see this on the top of this screen. 

  • 0 in reply to LuCar Toni

    Current priority routing is : SD-WAN, VPN routing, static

Reply Children