Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 32 subscribers
  • Views 52645 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wireless Radius auth via IPSec not possible

frozeneye

Hi, we're trying to get Radius auth for wireless WPA enterprise to work in our Branch Office.

Situation: One UTM HA Cluster in Main Office. There are the Active Directory and Radius Servers located. In our Branch Office we change from RED to XG85. We use WPA enterprise with Radius to connect the wireless Clients.

The xg85 is connected wia Site2site ipsec and via LAN everything is fine. Active-directory-auth to xg85 via ipsec works also.

But the Radius auth doesn't work. I've already read different articles and try a lot but the Radius auth from the WLAN client doesn't arrive at the Radius Server in Main Office.

Radius test from the xg85 itself arrive at the Radius Server so the connection seems OK. Also all needed firewall rules are inplace. The wan-ip from the xg85 is included in the ipsec-tunnel so that the xg85 itself is able to connect to the ad and Radius Servers.

Any hints? I'searching the last days for a solution...

Thanks und advance,

Regards, Markus



This thread was automatically locked due to age.
  • 0

    Frozenye,

    can you share your config? Maybe some screenshot will help. What error do you have? Personally I would prefer method 2:

    https://community.sophos.com/kb/en-US/123334

    Luk

  • 0 in reply to lferrara

    Hi Luk,

    thanks for your response! I've already implemented the Option 1 for first testing and AD auth is working well. I'm using my Domain accont as admin-user in Branch XG appliance...

    What kind of Screenshots do you need?

    I'm not able to see an error, only wireless Clients cannot connect with WPA2 Enterprise and on the Radius Server the request is not arriving. Manual radius test directly in the xg interface are arriving at the radius logs.

    In the Main Office the WPA enterprise WLAN is working well with same (onsite) Radius.

    It seems that the Radius request will not be forwarded to the Server. Packet trace in the xg interface show the Radius Packers correctly. Radius client and other things are also configured right...  I have no idea, I'm hanging more than 2 days with this issue...

    Thanks for your Support!

    Regards, Markus

  • 0 in reply to frozeneye

    Markus,

    share your radius configuration.


    Luk

  • 0 in reply to lferrara

    Hi Luk,

    here is it:

    The Radius server itself is configured like in the howto (Server 2012 R2, DC and Radius) and is working already with the utm based wireless protection in main office.

    New Policy for Client and shared secret is configured properly (tested with and without new rules).

    Thanks,

    Markus

  • 0 in reply to frozeneye

    Hi Luk,

    Tcpdump on port 1812 would be helpful here to see where the packet is going. This is an open BUG in XG so with tcpdump just need to confirm.

    - Jayesh

  • 0 in reply to JayeshPatel

    Sorry Guys,

    but during this week-end I was travelling. Anyway a tcpdump output will do the trick. [:D]

    About the bug, I did know that. Jasesh, can you be more specific?

    Luk

  • 0 in reply to lferrara

    The BUG is that if some body has configured Radius over IPSec for WPA2 authentication, the radius request is going out through WAN interface instead of Ipsec tunnel however Radius test connection is absolutely working fine.

    - Jayesh

  • 0 in reply to JayeshPatel

    Hi,

    here is an output from tcpdump running on the xg when i try to connect via wpa2-enterprise Wlan Client:

    09:10:45.233895 Port2, OUT: IP 212.29.xxx.xxx.41098 > 172.17.0.12.1812: RADIUS, Access Request (1), id: 0x9b length: 202

    this line is repeating, nothing more happens 

    If i test the connection on XG Interface i get response:

    09:16:39.627286 ipsec0, IN: IP 172.17.0.12.1812 > 212.29.xxx.xxx.60421: RADIUS, Access Reject (3), id: 0x3d length: 20

    (Reject because the auth is not possible on this way, we use Radius for VPN and WPA2 Enterprise only)

    Any Hints?

    Thanks,

    Markus 

  • 0 in reply to frozeneye

    Hi again,

    now I've configured Option 2 in the article above but still the same issue... test on XG-Interface reaches the Radius, WPA2-Enterprise Connect fails

    tcpdump now:

    12:05:58.962696 ipsec0, OUT: IP 169.254.234.5.57191 > 172.17.0.12.1812: RADIUS, Access Request (1), id: 0x19 length: 202

    this line is repeating, nothing more happens 

    If i test the connection on XG Interface i get response:

    12:06:02.195203 ipsec0, IN: IP 172.17.0.12.1812 > 172.18.0.1.34774: RADIUS, Access Reject (3), id: 0x40 length: 20

    I need really help...

  • 0 in reply to frozeneye

    Frozeneye,


    169.254 ip is strange. From console, can you share the output of this command?

    "show advanced-firewall"

    I need the output below: NAT policy for system originated traffic


    Luk