Essential steps for Sophos Firewall RADIUS integration

Sophos Firewall configuration

Sophos Firewall is a capable perimeter device. I treat it as the gatekeeper for authentication and access. For this how-to I focus on using Sophos as a RADIUS client to delegate authentication to a Windows server running NPS. The same steps apply to XG/XGS and recent SFOS releases. Keep the configuration tight and auditable.

RADIUS gives centralised authentication. It lets Active Directory control who accesses VPNs, Wi‑Fi and administrative portals. That reduces duplicated accounts. It also enables MFA and policy-based access when paired with NPS extensions.

Shared secret mismatch is the top cause of failures. Use a simple test secret to begin, then harden it. Some appliances choke on very long secrets; if a test fails, try a shorter secret (under 48 characters) first. DNS and routing mistakes also show up. If the Sophos and the Windows server sit in different networks, confirm UDP 1812/1813 reachability and any intermediate ACLs. Finally, Sophos sometimes requires a local admin account for firewall admin login even when RADIUS is enabled. Keep one local admin account with a secure password.

Setup

Prerequisites for integration

• A Windows Server with Network Policy Server (NPS) role installed and joined to Active Directory.
• Administrative access to the Sophos Firewall admin console.
• IP addressing plan and firewall rules allowing UDP 1812 and 1813 between the devices.
• A test AD account in the group you will use for authentication.

On the Windows server, install and configure NPS. In Server Manager click Add Roles and Features, select Network Policy and Access Services, then add Network Policy Server. Open Server Manager > Tools > Network Policy Server. Add a RADIUS client: RADIUS Clients and Servers > RADIUS Clients > New. Give the client a friendly name and the Sophos IP. Set a shared secret and record it exactly. Create a Network Policy that matches the connection type and user group you plan to use. Microsoft documents the NPS workflow and client configuration here: https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-radius-clients-configure

Log in to the Sophos admin console. Go to Authentication > Servers and click Add. Choose Server type: RADIUS server. Enter a name, the Windows server IP and the same shared secret you set in NPS. Set the authentication port to 1812 (and accounting 1813 if you use accounting). Configure a timeout of 10–30 seconds for initial tests. Sophos’ official steps are in their docs and are worth following exactly: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/RADIUS/AuthenticationRADIUSServerAdd/

Steps

Step-by-step integration process

1. On Windows NPS: add a RADIUS client entry for the Sophos IP. Use a clear name like “Sophos-FW-01”. Set the shared secret and copy it to a safe place.
2. On Windows NPS: create or edit a Network Policy. Condition: Windows Groups -> add the AD group for RADIUS auth. Constraints -> EAP types as required (for VPN often MS-CHAP v2 or PEAP).
3. On Sophos: Authentication > Servers > Add > RADIUS. Fill name, IP, secret and ports. Save.
4. On Sophos: Authentication > Services or Authentication > Rules (depending on SFOS version) set the RADIUS server as primary authentication for the service you want (SSL VPN, admin login, Wi‑Fi).
5. On Sophos: create any firewall rules permitting traffic from the relevant zone to the NPS server if they are on separate networks.
6. Test with a low-risk user account.

Verifying RADIUS settings

• On Sophos: after adding the server, use the Test connection button. A successful test usually returns a positive status or green tick in the UI. If the UI reports failure, record the error string.
• On Windows NPS: open Event Viewer -> Custom Views -> Server Roles -> Network Policy and Access Services. Successful authentication attempts show an Event ID 6272 or similar depending on Windows version. Failed attempts provide a reason code.

Testing connectivity

1. From the Sophos shell or a jump host, run a UDP test (or packet capture) to confirm 1812/1813 reachability. tcpdump or Wireshark on the NPS server helps.
2. Trigger an auth from the Sophos test button or from the actual service (VPN sign‑in). Expect a successful authentication log on NPS within seconds.
3. Verify the correct username and group appear in the NPS logs. If you use PEAP, ensure the inner identity matches AD username format.

Note:
If a change affects admin access, have console access or local credentials ready. When switching admin authentication to RADIUS, create a local admin account first. If a step changes state (for example switching primary auth), record the previous setting so you can revert. To roll back, reverse the Authentication > Services setting or remove the RADIUS server entry.

Checks

Common troubleshooting tips

• Shared secret mismatches are common. Re-enter both sides character for character.
• Firewalls often block UDP 1812/1813. Check intermediate ACLs and host firewalls.
• Time sync matters. Ensure both systems use NTP and have close clocks.
• If NPS logs show User not found, check the AD group membership and the user’s UPN. If Sophos creates local users without domain names, that can create duplicates.
• Use packet captures on the NPS server to see if requests arrive and what the attributes contain.
• If tests time out, lower the timeout and retry. Increasing timeouts hides routing issues; fix the routing instead.

Validating user authentication

• Expected outcome for a successful test: Sophos shows test succeeded and NPS shows a successful authentication event. The user can log in to the target service (VPN or Wi‑Fi) with AD credentials.
• If a user is denied, the NPS event will include a reason: wrong password, user not in group, or authentication method mismatch. Use that to adjust policies.

Takeaways
Start simple and test each layer: network, shared secret, policy. Use the test buttons and logs. Keep a local admin path into the firewall. If something changes state, note the previous setting so rollback is quick. With those checks in place, Sophos Firewall configuration as a RADIUS client to a Windows server is straightforward and reliable.