Radius SSO Timeout

Hi Subahar,

Take SSH to XG and goto option 5. > 3. Advance Shell then execute,

cd /log

tail -f access_server.log  | grep username

Now, authenticate the user and monitor the logs until the user is logged off.

Does the users get a captive portal page when they are disconnected? 

In case, the user is disconnected from live user page or gets captive portal authentication page after some time it means STAS is unable to check user status by workstation polling method. STAS uses two methods for workstation polling, WMI and Registry Read Access. Both methods are for getting user status from individual machine. An administrator can choose any one of these two methods for workstation polling.

Perform WMI\Registry read access verification to user’s IP address. If query is failed then the Windows Firewall or Antivirus could block the WMI\Registry read access query. Add an exception for TCP port 445 and 135

Thanks

Hi Subahar,

Take SSH to XG and goto option 5. > 3. Advance Shell then execute,

cd /log

tail -f access_server.log  | grep username

Now, authenticate the user and monitor the logs until the user is logged off.

Does the users get a captive portal page when they are disconnected? 

In case, the user is disconnected from live user page or gets captive portal authentication page after some time it means STAS is unable to check user status by workstation polling method. STAS uses two methods for workstation polling, WMI and Registry Read Access. Both methods are for getting user status from individual machine. An administrator can choose any one of these two methods for workstation polling.

Perform WMI\Registry read access verification to user’s IP address. If query is failed then the Windows Firewall or Antivirus could block the WMI\Registry read access query. Add an exception for TCP port 445 and 135

Thanks

Hi Sachin,

Thanks for reply. 

Here users are connected through Android and IOS devices not with windows laptop. They connect to wireless with Radius WPA2\enterprise with meru wireless controller. In that controller we added Sophos XG as accounting server through that users are getting authenticate to Sophos as Radius SSO users. I would like to know do we have any timeout setup for Radius users in XG firewall? If we get that setup for unlimited or say few hours our issue will get resolved.

Let me know is there any setting i need to enable to achieve this function.

Regadrs

HI subahar, 

While using Radius SSO , you set the Global Settings for the same as per the snapshot. 

Any luck with that ?

Hi Aditya,

It looks we do have similar setting on our box, see below snapshot of it. But still we see the error on Radius SSO user disappearing from live users.

I have the same issue so RADIUS SSO users are de-authenticated from appliance. This seems to be an issue if a user is a member of VLAN and it is in a different network than LAN interface on XG. We have static routing on XG set to our VLANS.

Hi, was this issue ever resolved? Experiencing something similar...

Hi,

It is an old thread, if you are currently facing this issue, can you please post a new thread, iterating us the kind of network you have and how frequent do you see the disconnections? PM me access_server.log to verify the cause for disconnection which will help us investigate further. 

Thanks,

I have raised a support ticket with Sophos but it is a known bug and apparently the problem cannot be resolved. Would you like a ticket number?

The problem is on our Ruckus Wireless Zone Director where 'roaming-acct-interim-update' is disabled by default and "class" information is not being copied to radius accounting start message during roaming. Enabling 'roaming-acct-interim-update' resolved the issue.