This article explains how to fix issues with Radius Authentication used for Wireless Protection when the Radius server is connected via an IPSec tunnel.
You are using a Radius server which controls the authentication for the AP. This Radius server is connected via a IPSec-tunnel to the UTM.
The AP sends requests for authentication with the IP of the Access Point. This IP is not part of the IPSec tunnel configuration so the request can not reach the Radius server.
In this case you will probably see the following message within the wireless.log:
hostapd: wlan0: STA 8c:70:5a:89:84:c0 RADIUS: Resending RADIUS message
First seen in
Sophos UTM 9.104
What To Do
You have to create a SNAT rule on the UTM so everything coming from the LAN network with the RADIUS port going to the LAN interface will be translated to the WAN interace.
To create such a SNAT rule proceed as follows
- Logon to the WebAdmin
- Go to Network Protection | NAT | NAT and add a new NAT rule
- Rule Type: SNAT(Source)
- For Traffic from: LAN network
- Using service: RADIUS
- Going to: LAN interface
- Change the source to: External Inteface
- Click on Save