This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

Home
About
System Admin
Security
Tech
Home Lab
Threats
Weekly Digest
Deals
Advisories
Phishing Updates
Threats
Image Scraper
Contact

Essential steps for Sophos Firewall RADIUS integration

Sophos Firewall configuration

Sophos Firewall sits at the edge, so I treat authentication settings carefully. In this setup it acts as a RADIUS client and passes authentication to a Windows server running NPS. The same steps apply to XG/XGS and recent SFOS releases. Keep it tight and keep it auditable.

RADIUS gives centralised authentication. It lets Active Directory control who gets access to VPNs, Wi‑Fi and administrative portals. That cuts down duplicate accounts and makes MFA and policy-based access possible when paired with NPS extensions.

The shared secret is the first thing to check when this fails. Start with a simple test secret, then harden it later. Some appliances do not like very long secrets, so if a test fails, try something shorter first, under 48 characters. DNS and routing mistakes also show up quickly. If the Sophos and Windows server sit on different networks, check UDP 1812 and 1813 reachability, plus any ACLs in between. Sophos may also need a local admin account for firewall login even when RADIUS is enabled. Keep one local admin account with a strong password.

Setup

Prerequisites for integration

  • A Windows Server with the Network Policy Server role installed and joined to Active Directory.
  • Administrative access to the Sophos Firewall admin console.
  • An IP plan and firewall rules that allow UDP 1812 and 1813 between the devices.
  • A test AD account in the group you will use for authentication.

On the Windows server, install and configure NPS. In Server Manager, click Add Roles and Features, select Network Policy and Access Services, then add Network Policy Server. Open Server Manager > Tools > Network Policy Server. Add a RADIUS client: RADIUS Clients and Servers > RADIUS Clients > New. Give the client a friendly name and the Sophos IP. Set a shared secret and record it exactly. Create a Network Policy that matches the connection type and user group you plan to use. Microsoft documents the NPS workflow and client configuration here: https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-radius-clients-configure

Log in to the Sophos admin console. Go to Authentication > Servers and click Add. Choose Server type: RADIUS server. Enter a name, the Windows server IP and the same shared secret you set in NPS. Set the authentication port to 1812, and accounting to 1813 if you use accounting. Set a timeout of 10–30 seconds for initial tests. Sophos’ official steps are in their docs and are worth following exactly: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/RADIUS/AuthenticationRADIUSServerAdd/

Steps

Step-by-step integration process

  1. On Windows NPS, add a RADIUS client entry for the Sophos IP. Use a clear name like “Sophos-FW-01”. Set the shared secret and copy it to a safe place.
  2. On Windows NPS, create or edit a Network Policy. For the condition, add the AD group you want for RADIUS auth. For constraints, use the EAP types you need. For VPN, that is often MS-CHAP v2 or PEAP.
  3. On Sophos, go to Authentication > Servers > Add > RADIUS. Fill in the name, IP, secret and ports, then save.
  4. On Sophos, set the RADIUS server as primary authentication for the service you want, whether that is SSL VPN, admin login or Wi‑Fi. The menu path varies by SFOS version.
  5. Create any firewall rules that permit traffic from the relevant zone to the NPS server if they sit on separate networks.
  6. Test with a low-risk user account.

Verifying RADIUS settings

  • On Sophos, after adding the server, use the Test connection button. A working test usually returns a positive status or green tick in the UI. If it fails, record the error string.
  • On Windows NPS, open Event Viewer > Custom Views > Server Roles > Network Policy and Access Services. Successful authentication attempts show Event ID 6272 or something similar depending on the Windows version. Failed attempts give a reason code.

Testing connectivity

  1. From the Sophos shell or a jump host, run a UDP test or packet capture to confirm 1812 and 1813 reachability. tcpdump or Wireshark on the NPS server helps.
  2. Trigger authentication from the Sophos test button or from the actual service, such as VPN sign-in. Expect a successful authentication log on NPS within seconds.
  3. Check that the right username and group show up in the NPS logs. If you use PEAP, make sure the inner identity matches the AD username format.
Note:
If a change affects admin access, have console access or local credentials ready. When switching admin authentication to RADIUS, create a local admin account first. If a step changes state, such as switching primary auth, record the previous setting so you can revert. To roll back, reverse the Authentication > Services setting or remove the RADIUS server entry.

Checks

Common troubleshooting tips

  • Shared secret mismatches are common. Re-enter both sides character for character.
  • Firewalls often block UDP 1812 and 1813. Check intermediate ACLs and host firewalls.
  • Time sync matters. Make sure both systems use NTP and have close clocks.
  • If NPS logs show User not found, check the AD group membership and the user’s UPN. If Sophos creates local users without domain names, that can create duplicates.
  • Use packet captures on the NPS server to see whether requests arrive and what the attributes contain.
  • If tests time out, lower the timeout and retry. Increasing timeouts hides routing issues; fix the routing instead.

Validating user authentication

  • A successful test should show Sophos reporting success and NPS showing a successful authentication event. The user can then log in to the target service, such as VPN or Wi‑Fi, with AD credentials.
  • If a user is denied, the NPS event includes a reason: wrong password, user not in group, or authentication method mismatch. Use that to adjust the policy.

Takeaways
Start with the network, then the shared secret, then the policy. Use the test buttons and the logs. Keep a local admin path into the firewall. If something changes state, note the previous setting so rollback is quick. With those checks in place, Sophos Firewall as a RADIUS client to a Windows server is straightforward enough.

0
0
0
0
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
Tags:
Security

Related posts

Vector | vdev-v0.3.3

Vector vdev v0 3 3: patch release with crash, leak and parsing fixes, connector and tooling improvements, upgrade notes on prechecks, rolling updates, compat

Loki | v3.7.2

Loki v3 7 2: security and CVE fixes, updated S3 client to aws sdk v1 97 3, ruler panic fix for unset validation scheme, S3 Object Lock sends SHA256 checksum

Loki | v3.7.2

Loki v3 7 2: Patch release with CVE fixes, AWS S3 SDK update, ruler panic fix, S3 Object Lock SHA256 checksum support