Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius Test Works but WiFi Won't Authenticate

JeffCooper

Hi,

I'm setting up an XGS to authenticate wifi connections with WPA2 Enterprise to FreeRadius and OpenLDAP running on Ubuntu 20.0.4.

I know the LDAP part works because my VPN connections work.

Test Connection works in Authentication/Radius. So the XGS seems the radius server.

Attempts to connect to WiFI simply do not connect (I'm on a Mac and it says "Could not be joined").

I ran Wireshark while connecting but I'm not sure what I'm supposed to be looking for: nothing seems to get getting dropped.

I followed the XGS portion of this page

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/127783/sophos-firewall-configure-radius-for-enterprise-wireless-authentication-with-windows-server-2012

and I'm not sure what I'm missing. 

Thanks,

Jeff



This thread was automatically locked due to age.
Parents
  • 0

    check the radius log. Some hints?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0

    check the radius log. Some hints?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • 0 in reply to dirkkotte

    Yes and no. I'm still not sure why the Test doesn't use the same encryption/protocols/etc that would end up being used in practice by wifi, but it doesn't. When running freeradius -X on the server it kicks back all sorts of  issues, warnings, and errors about EAP, CHAP, etc. And I couldn't find anywhere at Sophos's site what exactly it wants to use or how to configure for it. It seams every issue I solve creates one or two more. I actually got so derailed chasing my tail I restored the server to a checkpoint before I started messing with the various .conf files and mods-enabled and sites enabled folders so I can restart clean and try again with the knowledge I now have. I'll post here whatever I did when I eventually get it working but I'm just amazed there seems to be so many "here's how to authenticate wifi with OpenLDAP via freeradius" blogs and posts, but all seem to contradict each other and none of them work for me for some reason.

    Thanks,

    Jeff

  • 0 in reply to dirkkotte

    Made significant progress. I was able to make it work by storing the password as cleartext in openLDAP. Not what I want obviously, but at least I know where the problem is. It looks like XGS uses MS-CHAPv2 (I didn't see that documented anywhere, I just garnered that from blog posts), and MS-CHAPv2 needs Radius to get a cleartext or ntlm password. I think I just have to figure out how to get openLDAP to use ntlm (it was using md5 by default).

    My issue now (for which I may start another thread if it's not a quick fix) is, though wifi works, it's quite slow, and I get repeated error:

    "Receive - invalid packet code 4 sent to authentication port from client [client short name] port 33664."

    Not sure what this is. Google was no help so far.

    Thanks,

    Jeff

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?