Radius authentication model guide for Sophos APX on Sophos Firewall

1 Overview

Radius is a popular protocol to support authentication of users accessing wifi to increase security in the Active directory network model. Today Techbast will guide you through the steps of implementing the Radius model to authenticate users accessing the Sophos APX Access point.

2 Steps to take

2.1 Diagram

The model includes a Window server as a Radius server, located at the vlan2 layer.

Sophos APX as Access point is located at vlan layer 200 and works in Bridge to AP Lan mode. Wifi User accessing the AP will be assigned an IP at VLAN 200.

Sophos Firewall with default gateway vlan 2 and vlan 200. Firewall connects to Server Radius and Access point via Switch.

2.2 Configuration steps

To build the model we need to configure the following components:

  • Configure Certificate Service for Server
  • Configure Network Policy Service and Radius service for Server
  • Configure Radius connection on Firewall
  • Configure Wifi for APX

2.2.1 Configuring Certificate Service for Server

To use NPS’s PEAP authentication protocol we need a Certificate Service. The configuration steps are as follows

We add the Active Directory Certificate Service role.

Select the service as shown and click next until it’s done.

After Installing the Role, a message will appear and we will click Configure Active Directory Certificate Service as shown

select next.

Select the Services that we have installed, select next.

Select Enterprice CA, select next.

Select Root CA, Select next.

Select Create a new private key, click next.

After completing the configuration steps, select Configure.

So we have finished configuring the Certificate, select close.

2.2.2 Configure Network Policy Service and Radius service for Server

To configure Radius server we need to install Role Network Policy and Access Services

Select Role and click Next to install.

Continue next to skip and select Install to install.

After the installation is complete, we go to Network Policy Server.

Select NPS(Local), I choose Radius server for 802.1X Wireless or Wired Connections. Select the Configure 802.1x item below.

The configuration section appears, select Secure Wireless Connections. Give this profile a name and click next.

Create a Radius Client. Name the client in the Friendly name section, Here the client is Sophos Firewall, so we configure the IP on Sophos Firewall’s VLAN2 Port, enter the Share Secret for the client and click OK.

We have created the Client named Sophos, click next.

Select the authentication protocol as PEAP, select next.

Select Add to add the user group in the domain you want to use for authentication, here I choose Domain user so that all users in the domain can authenticate with Radius.

Here I have created a few users in advance to test my model.

Select next.

Click Finish.

2.2.3 Configure Radius connection on Firewall

At Firewall, we configure the connection to the Radius Server and allow authentication by Radius.

We go to Authentication >> Servers >> Select Add to create a connection.

Select Type as RADIUS server.

Server ip: ip of Radius server.

Share secret: the key that we created earlier at the server.

Domain name: the domain of the server.

Group name attribute: the group name selected in the above NPS configuration section.

Then press save.

Switch to the Services tab, select Radius server to authenticate and put Radius on Local. Click Apply

2.2.4 Configure Wifi for APX

We configure to enable authentication on APX Access Point devices

Go to Wireless >> Wireless settings. Turn on Enable wireless protection. At Primary RADIUS server select the server we created earlier. Click Apply.

Switch to the Wireless networks tab. We choose Add to create a new network. Put the name in the name field, enter the SSID and select Security mode as WPA2/WPA Enterprise. Click Save.

At the Access points tab. We select the connected APX device to configure.

Configuration as above. Click save.

3 Check the results.

We proceed to access the Sophos Test network with a mobile device and fill in the login user information as created on AD.

The device is allowed to access and grant ip range vlan 200.

For Apple devices such as Iphone or Macbook, when connecting to the network, a message will appear and ask for permission to trust the certificate of the Radius server, we choose Trust certificate to accept this certificate and access as normal.

At Server Radius, we go to the Event viewer to see the log of successful user access.

So we have finished configuring the authentication model using the Radius server. Good luck.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.