This article describes setting up Radius (Windows Server 2008 R2) authentication to work with Sophos Wireless Security
Known to apply to the following Sophos product(s) and version(s)
Astaro Security Gateway
Before you start
Important: The Microsoft KB articles at the bottom of this article must be followed as well for the certificates to work properly.
This article is based on using a fresh install of Windows Server 2008 R2. This has been tested using Windows Server 2008 R2 with ASG versions 8.311 and UTM 9.106 with the following Wireless Network configuration:
Encryption Mode: WPA2 Enterprise
Algorithm: AES (secure)
Client Traffic: Separate Zone
Client Isolation: Disabled
Hide SSID: Disabled
If you already have some of the below steps configured, please use this as a jumping off point for troubleshooting issues you may be having.
- ASG/UTM with Wireless Protection Subscription
- Sophos AP (either an AP-10 or AP-30 or AP-50)
- Windows Server 2008 R2
Windows Server required Roles & Features:
- Active Directory
- Active Directory Certificate Services
- Network Policy and Access Services
This article assumes the following:
- You have Active Directory installed and configured on your network
- You have the Network Policy and Access Services role installed
- You have a configured certificate authority or have a valid certificate you wish to use with NPS (Radius)
- Your AP is connected and functional on your ASG/UTM
What to do
This procedure consists of the following three sections:
- Wireless Protection Configuration (ASG/UTM)
- Radius Configuration (Windows Server)
- NPS Certificate Configuration using Certificate Templates (Windows Server)
1. Wireless Security Configuration
- Click on Wireless Protection > Global Settings > Advanced tab.
- Under the Advanced tab you must enter your Radius server, Radius port and your shared secret (this will be created by you)
2. Configuring RADIUS on your Windows Server
Authorize your Network Policy Server with your Active Directory
Radius Client Setup:
- In the Server Manager click on Roles > Network Policy and Access Services > NPS > Radius Clients and Servers >Radius Client
- Now click on New on the right side of the screen under actions
- You will then be presented with the following screen
- Friendly Name: You can call this what you want. Make sure you remember what you called it as you will need to enter the same name in the steps below.
- Address (IP or DNS): Enter the IP Address or internal DNS name of your ASG/UTM. Click verify and make sure the IP or hostname resolves properly.
- Shared Secret: Enter the share secret you entered in Step 2 of the Wireless Security Configuration above.
- Click Apply
Connection Request Policies:
- Click on Policies
- Click 'Connection Request Policies'.
- On the right, under Actions, click 'New'.
- Enter a name, in our example we have called it “wireless”.
- Click Next.
- Now add the following conditions:
- Client Friendly Name: Name of the RADIUS client
- NAS Port Type: Wireless – IEEE 802.11
- NAS Identifier: SSID of your wireless network
- Click OK
- Click Next, then hit Finish – The default settings are fine for the rest of the configuration.
Click Network Polices
- On the right hand side, click 'New'.
- Name it, preferably the same as the Connection Request Policy
- Click Next
- Click Add
- Choose how you want to users to authenticate. For this, we are using the Domain 'Users Groups'.
- Click Next until you arrive at Configure Authentication Methods
- We will use PEAP. Click Add and choose Microsoft: Protected EAP (PEAP)
- Choose the authentication method as shown above
- Click Next until you arrive at Configure Constraints
- Under NAS Port Type choose Wireless – IEEE 802.11
- Click Next, then Finish.
3. NPS Certificates:
Please make sure the certificate you are using has a valid subject as in the following screen shot:
You can use your current certificate but we recommend creating a separate RAS and IAS certificate template if your Radius server is on the same machine as your Domain Controller. If you renew your Domain Controller cert it can stop authentication via Radius
The following links point to a few Microsoft KB articles describing how to deploy a CA and NPS Server Cert. You must follow the below links in order. Remember, this document outlines a fresh configuration. Please tailor this section according to how you have your certificates setup.
- Deploy a CA and NPS Server Certificate
- NPS Server Certificate: CA Installation
- NPS Server Certificate : Configure the Template and Autoenrollment