Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 32 subscribers
  • Views 52673 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wireless Radius auth via IPSec not possible

frozeneye

Hi, we're trying to get Radius auth for wireless WPA enterprise to work in our Branch Office.

Situation: One UTM HA Cluster in Main Office. There are the Active Directory and Radius Servers located. In our Branch Office we change from RED to XG85. We use WPA enterprise with Radius to connect the wireless Clients.

The xg85 is connected wia Site2site ipsec and via LAN everything is fine. Active-directory-auth to xg85 via ipsec works also.

But the Radius auth doesn't work. I've already read different articles and try a lot but the Radius auth from the WLAN client doesn't arrive at the Radius Server in Main Office.

Radius test from the xg85 itself arrive at the Radius Server so the connection seems OK. Also all needed firewall rules are inplace. The wan-ip from the xg85 is included in the ipsec-tunnel so that the xg85 itself is able to connect to the ad and Radius Servers.

Any hints? I'searching the last days for a solution...

Thanks und advance,

Regards, Markus



This thread was automatically locked due to age.
Parents
  • 0

    Hi All,

    I know this is an old thread, has there been any fix for this 'bug' yet? I have just tried this and am getting the same results.

    the only difference is I am S2S from HO (UTM) and Branch (XG 17.1.2 MR-2).

    I am wondering is a GRE tunnel would fix this? (yes I understand a GRE tunnel is not really supported on UTM)

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Reply
  • 0

    Hi All,

    I know this is an old thread, has there been any fix for this 'bug' yet? I have just tried this and am getting the same results.

    the only difference is I am S2S from HO (UTM) and Branch (XG 17.1.2 MR-2).

    I am wondering is a GRE tunnel would fix this? (yes I understand a GRE tunnel is not really supported on UTM)

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Children
  • 0 in reply to Argo

    Hi,

    Please use the system originated traffic KBA.

    community.sophos.com/.../123336

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for that pointer, was thinking of going another route (RED Tunnel).

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to LuCar Toni

    Just tried on a XG85 with 17.1.2MR2 and it doesn't work.

    Also the moment I configure the WAN Address of my counterpart Sophos firewall as part of the tunnel I lose the capability to address the device itself.

    Therefore, even if this work-around were to work, it would not be feasible for production.

    I cannot understand why for the Sophos a RADIUS request is not part of system traffic and is being routed through the WAN and not through the IPsec

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • 0 in reply to AlexanderPoettinger

    Did you create the KBA with the system originated Traffic? This should work without any issue. 

    __________________________________________________________________________________________________________________

Cookie Information Banner