Sophos Firewall

Discussions Radius Test Works but WiFi Won't Authenticate

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 3 replies
Subscribers 27 subscribers
Views 1105 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius Test Works but WiFi Won't Authenticate

JeffCooper over 3 years ago

Hi,

I'm setting up an XGS to authenticate wifi connections with WPA2 Enterprise to FreeRadius and OpenLDAP running on Ubuntu 20.0.4.

I know the LDAP part works because my VPN connections work.

Test Connection works in Authentication/Radius. So the XGS seems the radius server.

Attempts to connect to WiFI simply do not connect (I'm on a Mac and it says "Could not be joined").

I ran Wireshark while connecting but I'm not sure what I'm supposed to be looking for: nothing seems to get getting dropped.

I followed the XGS portion of this page

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/127783/sophos-firewall-configure-radius-for-enterprise-wireless-authentication-with-windows-server-2012

and I'm not sure what I'm missing.

Thanks,

Jeff

This thread was automatically locked due to age.

Parents

0 dirkkotte over 3 years ago

check the radius log. Some hints?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 JeffCooper over 3 years ago in reply to dirkkotte

Made significant progress. I was able to make it work by storing the password as cleartext in openLDAP. Not what I want obviously, but at least I know where the problem is. It looks like XGS uses MS-CHAPv2 (I didn't see that documented anywhere, I just garnered that from blog posts), and MS-CHAPv2 needs Radius to get a cleartext or ntlm password. I think I just have to figure out how to get openLDAP to use ntlm (it was using md5 by default).

My issue now (for which I may start another thread if it's not a quick fix) is, though wifi works, it's quite slow, and I get repeated error:

"Receive - invalid packet code 4 sent to authentication port from client [client short name] port 33664."

Not sure what this is. Google was no help so far.

Thanks,

Jeff
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 JeffCooper over 3 years ago in reply to dirkkotte

Made significant progress. I was able to make it work by storing the password as cleartext in openLDAP. Not what I want obviously, but at least I know where the problem is. It looks like XGS uses MS-CHAPv2 (I didn't see that documented anywhere, I just garnered that from blog posts), and MS-CHAPv2 needs Radius to get a cleartext or ntlm password. I think I just have to figure out how to get openLDAP to use ntlm (it was using md5 by default).

My issue now (for which I may start another thread if it's not a quick fix) is, though wifi works, it's quite slow, and I get repeated error:

"Receive - invalid packet code 4 sent to authentication port from client [client short name] port 33664."

Not sure what this is. Google was no help so far.

Thanks,

Jeff
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data

Share Feedback

×

Submitted a Tech Support Case lately from the Support Portal?