Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 17313 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS SSO with Microsoft NPS

GavinBlunt

I need to get RADIUS SSO working by sending Accounting information from the Microsoft NPS server to the XG Firewall, rather than from the AP or controller.

RADIUS SSO works 100% in environments where the wireless solution is able to send accounting information directly to the XG Firewall from the AP or controller.

I have configured the Connection Request Policy in NPS (under the Settings | Accounting Tab for the policy), to forward all accounting to the XG Firewall - I have configured the appropriate shared keys etc on both ends.

What I notice, it that the NPS does not in fact forward anything to the firewall!!

Has anyone configured this in the wild and got it working - not getting this to work is a potential show stopper for many of my clients.

Thanks

Gavin Blunt



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara

    Hi,

    Unfortunately not.  The Ruckus Unleashed and Cloud offerings do not provided for RADIUS accounting from the controller or AP themselves.  I was hoping to configure NPS to send the accounting logs to the XG directly, but it appears this is not possible as the logs are not in a format understood or readable by the XG.

    Will now start bugging Ruckus to get the RADIUS accounting feature built into their cloud and Unleashed controller software.

    Thanks

    Gavin

Children
  • 0 in reply to GavinBlunt

    Hi,

    I have a similar issue like you. RADIUS authentication is working fine from the sophos user portal, WIFI (over an Apple Aiport) is working fine with RADIUS. 

    Now I wanted to adjust freeRadius to send the accounting status to Sophos. I have entered information into the services>Radius SSO dialog.

    With radclient it's possible to see the replies but it seems that Sophos XG doesn't listen on 1813 for accounting info (which would be the default port).

    Is there something I am missing, maybe it's a different port? or is this RADIUS SSO only possible with AP connected directly to the XG?

     

    Thanks.

    Claas

     

    Edit1: just checked the file /log/access_server.log and found some ERRORs regarding radius auth. I'll update in case I get it working..

    Edit2: I got it working that Sophos is receiving Accounting packets from a freeRADIUS server. The situation is different than the one of the TO but I thought to note down the workaround for other people who might have the same problem.

     

    Situation:

    Network consists of: 

    - 4x Airport Extreme, macOS Server with OpenDirectory and RADIUS (freeRADIUS 2.2.9). RADIUS Authentication is working fine.

     

    Problem: Airport Extreme doesn't send Accounting Pakets.

     

    Solution: As I don't want to change my WIFI APs I needed a workaround. Here it goes:

    1. Configure freeRADIUS to proxy Accounting infos to Sophos XG to port 1813 (RADIUS SSO is active in Sophos and the Shared Secret known and set); more infos here https://freeradiustips.wordpress.com/2015/02/17/forward-accounting-packets-to-secondary-radius-server/

     

    2. Of course the proxy doesn't do anything at the moment as there are no accounting packets received. For my home solution with < 30 machines I have followed the Mac-Auth how-to from here: https://wiki.freeradius.org/guide/mac-auth, in the file named authorized_macs I have entered all required attributes for Sophos in this way:

    00-11-22-33-44-55
    Framed-IP-Address = 192.168.0.x,
    Acct-Status-Type = Start,
    NAS-IP-Address = "%{NAS-IP-Address}",
    NAS-Port = "%{NAS-Port}"

    I have a manual way of assigning the IP for the client, probably there is something like reading from SQL or LDAP possible.

    3. To use that information I have activated the reply_log. This results in a log file with some more information but among them are the required ones as entered above.

    4. The results log has a different name than the one the proxy is listening for. I tried first to be it the same but that doesn't work as there is an auth-accept or so attribute in the reply which needs to be removed first. I have setup a cron job (actually here on macOS launchd) to run every minute the following shell script. If the reply log exists rename it, delete lines with unwanted content, rename it to the detail log which the proxy is listening to and what Sophos XG to present the Live User.

    #!/bin/sh
    AUTH_REQUEST_FILE=/private/var/log/radius/radacct/reply-detail
    ACCT_TEMP_FILE=/private/var/log/radius/radacct/reply_detail.tmp
    ACCT_REQUEST_FILE=/private/var/log/radius/radacct/detail

    if [ -f $AUTH_REQUEST_FILE ]; then
    mv $AUTH_REQUEST_FILE $ACCT_TEMP_FILE
    fi

    if [ -f $ACCT_TEMP_FILE ]; then
    sed -i.bak '/Access-Accept/d' $ACCT_TEMP_FILE
    sed -i.bak '/MS-MPPE/d' $ACCT_TEMP_FILE
    sed -i.bak '/EAP-MSK/d' $ACCT_TEMP_FILE
    sed -i.bak '/EAP-EMSK/d' $ACCT_TEMP_FILE
    sed -i.bak '/EAP-Session/d' $ACCT_TEMP_FILE
    sed -i.bak '/EAP-Message/d' $ACCT_TEMP_FILE
    sed -i.bak '/Message-Authenticator/d' $ACCT_TEMP_FILE

    [ "$?" = "0" ] && mv $ACCT_TEMP_FILE $ACCT_REQUEST_FILE
    [ "$?" = "0" ] && rm -f $ACCT_TEMP_FILE.bak
    fi


    That is probably something which a company does not want but here for home I am happy with this. I can use WPA2/Enterprise for my family members, have them visible in Sophos and don't need Windows AD with STAS (which I did setup for testing but that is too much overhead with the required DNS etc.. I prefer when Sophos does DNS and DHCP).