Sophos Wireless and Radius Authentication

  • Article ID: 116144
  • Rating:
  • 4 customers rated this article 1.8 out of 6
  • Updated: 14 Feb 2014

This article describes setting up Radius (Windows Server 2008 R2) authentication to work with  Sophos Wireless Security

Known to apply to the following Sophos product(s) and version(s)

Astaro Security Gateway

Sophos UTM

Operating systems

V8, V9

Before you start

#####note to myself: describe how to authenticate computer devices. important for authentication without logged in to windows siehe ###########

 

3977019

 

Important: The Microsoft KB articles at the bottom of this article must be followed as well for the certificates to work properly. 

This article is based on using a fresh install of Windows Server 2008 R2. This has been tested using Windows Server 2008 R2 with ASG versions 8.311 and UTM 9.106 with the following Wireless Network configuration:

Encryption Mode: WPA2 Enterprise

Algorithm: AES (secure)

Client Traffic: Separate Zone

Client Isolation: Disabled

Hide SSID: Disabled

If you already have some of the below steps configured, please use this as a jumping off point for troubleshooting issues you may be having.

Prerequisites:

  • ASG/UTM with Wireless Protection Subscription
  • Sophos AP (either an AP-10 or AP-30 or AP-50)
  • Windows Server 2008 R2

Windows Server required Roles & Features:

  • Active Directory
  • Active Directory Certificate Services
  • Network Policy and Access Services

This article assumes the following:

  • You have Active Directory installed and configured on your network
  • You have the Network Policy and Access Services role installed
  • You have a configured certificate authority or have a valid certificate you wish to use with NPS (Radius)
  • Your AP is connected and functional on your ASG/UTM

What to do

This procedure consists of the following three sections:

  1. Wireless Protection Configuration (ASG/UTM)
  2. Radius Configuration (Windows Server)
  3. NPS Certificate Configuration using Certificate Templates (Windows Server)

1. Wireless Security Configuration

  1. Click on Wireless Protection > Global Settings > Advanced tab.
  2. Under the Advanced tab you must enter your Radius server, Radius port and your shared secret (this will be created by you)

 

2. Configuring RADIUS on your Windows Server

Authorize your Network Policy Server with your Active Directory

Radius Client Setup:

  1. In the Server Manager click on Roles > Network Policy and Access Services > NPS > Radius Clients and Servers >Radius Client

  2. Now click on New on the right side of the screen under actions

  3. You will then be presented with the following screen

    • Friendly Name: You can call this what you want. Make sure you remember what you called it as you will need to enter the same name in the steps below.
    • Address (IP or DNS): Enter the IP Address or internal DNS name of your ASG/UTM. Click verify and make sure the IP or hostname resolves properly.
    • Shared Secret: Enter the share secret you entered in Step 2 of the Wireless Security Configuration above.

  4. Click Apply

Policies

Connection Request Policies:

  1. Click on Policies

  2. Click 'Connection Request Policies'.
  3. On the right, under Actions, click 'New'.
  4. Enter a name, in our example we have called it “wireless”.
  5. Click Next.
  6. Now add the following conditions:
    • Client Friendly Name: Name of the RADIUS client
    • NAS Port Type: Wireless – IEEE 802.11
    • NAS Identifier: SSID of your wireless network

  7. Click OK
  8. Click Next, then hit Finish – The default settings are fine for the rest of the configuration.

Network Policies:

Click Network Polices

  1. On the right hand side, click 'New'.
  2. Name it, preferably the same as the Connection Request Policy
  3. Click Next
  4. Click Add
  5. Choose how you want to users to authenticate. For this, we are using the Domain 'Users Groups'.
  6. Click Next until you arrive at Configure Authentication Methods
  7. We will use PEAP. Click Add and choose Microsoft: Protected EAP (PEAP)

  8. Choose the authentication method as shown above
  9. Click Next until you arrive at Configure Constraints
  10. Under NAS Port Type choose Wireless – IEEE 802.11

  11. Click Next, then Finish.

 

3. NPS Certificates:

Please make sure the certificate you are using has a valid subject as in the following screen shot:

You can use your current certificate but we recommend creating a separate RAS and IAS certificate template if your Radius server is on the same machine as your Domain Controller. If you renew your Domain Controller cert it can stop authentication via Radius

The following links point to a few Microsoft KB articles describing how to deploy a CA and NPS Server Cert. You must follow the below links in order. Remember, this document outlines a fresh configuration. Please tailor this section according to how you have your certificates setup.

  1. Deploy a CA and NPS Server Certificate
  2. NPS Server Certificate: CA Installation
  3. NPS Server Certificate : Configure the Template and Autoenrollment

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments