Wifi with RADIUS authentication UTM 9

Do you have an internal CA? 

Yes I do, installed on a same server as NTP.

Assuming the test worked for the shared secret it's probably something on the radius server. Check the logs there and see if it gives any indication as to why it's failing. Usually in my experience it was cert related. 

I assume that you've added the WAP's as radius clients on the radius server?

Hey Louis,

thanks for reply, yes I´ve added WAPs as radius clients. No problem with notebooks or other Windows devices at all. Only mobile devices with Android and iOS cant connect.

Jiri

I am trying the same as you, but as I also use the radius for PPTp auth as well, i am still having issues.

although, I did have an issue with Wi-Fi when I bridged it to a VLAN, the phones would not fully connect, once a placed it onto a separate VLAN/Zone all worked fine.

It was something to do with the broadcasting within the VLAN that stopped it fully connecting....

Hmmm - I'm not sure to be honest. We don't personally use that function as we found we have greater control with the voucher codes. I am curious as to the resolution though. When logging in are they logging in as domain\user? 

Why should I need to add the WAPs as RADIUS clients? I thought the authentication is only passed over the UTM's IP and in all my WPA2E-installations there is no AP an allowed RADIUS client.

The only time I got real trouble was when I tried to use different WPA2E networks for different users.

Important are the settings on the connection policy:

• Client Friendly Name: Name of the RADIUS client (name of the UTM)
• NAS Port Type: Wireless – IEEE 802.11
• NAS Identifier: SSID of your wireless network
• I normally add "client ipv4 address", too (with the IP of the UTM)

In the authentication policy I add nearly the same conditions (the guide here https://community.sophos.com/kb/en-us/116144 only adds the NAS port type), I normally leave "client friendly name" away.

Important is NAS Identifier, if you want to authenticate different AD Groups for different wireless networks/SSIDs. I allways add a windows group to the authentication policy ("domain users" or a specific group if not everybody is allowed.

The used certificate for protected EAP (PEAP) has to be one for a machine, it can not be a certificate for the CA itself.
I rather have problems connecting some client PCs to the WLAN (they try to authenticate as a computer, not a user) than connecting mobile devices.

Most problems are on NPS side, on the UTM you can't do much wrong.

Only one thing left...
Be sure to test your RADIUS connection on the UTM AFTER you successfully tested and saved it. I had a support case becaus a "&" was converted to html code in the saving process and the authentication after saving failed. That was NUTM-7160 and was fixed in 9.501.

Hi, Jiri - first time I've seen you here - welcome to the UTM Community!

One thing that people miss is the setting on the 'Advanced' tab of 'Wireless Protection >> Global Settings'.

Cheers - Bob

Most problems we face with mobile devices is that they don't trust the certificate (or actually the CA who issued it). But usually it's possible to just continue after a warning.

I saw in your screenshot you are using TKIP/AES (Corporate) with WPA2. WPA2 should use only AES, so I would switch it to AES only and leave away TKIP. I don't really think this will help in your problem, but at least your staying within the WPA2 specs.