Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 1124 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS authentication for WiFi suddenly stops working daily

bcw

Hello,

we have a XG125 in HQ and a XG86 in Branch Office (BO). Using latest firmware: SFOS 18.0.5 MR-5-Build586. Both are connected via a S2S SSL VPN (not IPSec). We are using RADIUS for WIFI authentication on all sites. RADIUS Servers are located in the HQ. 

After booting the XG86 in th BO RADIUS authentication for the WIFI is working fine until a point in time, I think it is reconnect of Internet/ VPN in the night and then the XG86 does not reach the RADIUS Server anymore. Then also the authentication test in RADIUS Server configuration tab fails. Rebooting the XG86 solves the problem for the day... After reboot the authentication test is fine again and also the WIFI clients can authenticate via RADIUS. 

How can we get rid of this issue? 

Thank you!



This thread was automatically locked due to age.
  • 0

    If you would have used IPSEC Tunnel, I'd have been sure, you need to enable SNAT and IPSec Routing. But I'm quite sure you still need SNAT.

    Check this recent thread https://community.sophos.com/sophos-xg-firewall/f/discussions/128832/ipsec-traffic-uses-wrong-port and exclude the IPSEC stuff.

    You need to check if your BO XG can reach the RADIUS on the HQ site and if not, check were it's sending the packets to - i guess, it does to the WAN interface instead of the tunnel.

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Request to take below observations when you lose the RADIUS server reachability from XG86.

    ==> Login to SSH > 5. Device Management > 3. Advanced Shell

    Put access_server service in debugging.

    # service access_server:debug -ds nosync

    Run the below command:

    # tail -f /log/access_server.log

    ==> Go to Diagnostics > Packet capture

    Enter BPF string: port <Radius_Authentication_port>

    eg: port 1812

    ==> Test connection to the server and share both session output/snapshot here or in PM.

    ==> Run below command to stop debugging:

    # service access_server:debug -ds nosync

    # service -S | grep access_server

    =======================================================

    Share output of the below command as well.

    ==> Login to SSH > 4. Device Console

    console> show advanced-firewall

  • 0 in reply to LHerzog

    Hello, I have set a SNAT rule, but did not solve the issue.

    Btw. If the error occurs, I even can't ping the RADIUS server in HQ from the Sophos firewall. Clients can, so it is related to the firewall initiated traffic. 

    Packet capturing looks fine:

    Traffic is going via the tun1 interface. 10.81.234.54 is the ssl vpn tunnel ip. 192.168.0.1 is the RADIUS Server.

  • FormerMember
    0 FormerMember

    You can send me PM with session output and snapshots.

  • 0 in reply to FormerMember

    Hello, I can exactly reproduce the error on a second XG210 connecting via SSL VPN to the HQ. After reconnecting to Internet/ VPN, RADIUS and ping from Firewall itself to HQ LAN does not work anymore until reboot. 

    Sounds for me like a bug. 

  • 0 in reply to bcw

    have you checked on the other side of the Tunnel - in HQ if the RADIUS there can reach the BO XG in the case the issue is happenig?

    Maybe the back-path of the RADIUS packets is going a wrong way.

    check tracert and also a tcpdump on the HQ XG.