How to fix issues with Radius Authentication used for Wireless Protection

  • Article ID: 121257
  • Rating:
  • 1 customers rated this article 5.0 out of 6
  • Updated: 29 Jul 2014

This article explains how to fix issues with Radius Authentication used for Wireless Protection when the Radius server is connected via an IPSec tunnel. 

Scenario

You are using a Radius server which controls the authentication for the AP. This Radius server is connected via a IPSec-tunnel to the UTM.
 

Issue

The AP sends requests for authentication with the IP of the Access Point. This IP is not part of the IPSec tunnel configuration so the request can not reach the Radius server.

 

 

 

 

In this case you will probably see the following message within the wireless.log:

hostapd: wlan0: STA 8c:70:5a:89:84:c0 RADIUS: Resending RADIUS message

 

First seen in

Sophos UTM 9.104

 

What To Do

You have to create a SNAT rule on the UTM so everything coming from the LAN network with the RADIUS port going to the LAN interface will be translated to the WAN interace.

 

To create such a SNAT rule proceed as follows

  • Logon to the WebAdmin
  • Go to Network Protection | NAT | NAT and add a new NAT rule
    • Rule Type: SNAT(Source)
    • For Traffic from: LAN network
    • Using service: RADIUS
    • Going to: LAN interface
    • Change the source to: External Inteface
  • Click on Save 

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments