Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=AddRADIUSServer

Add a RADIUS server

To add a RADIUS server, do as follows:

  1. Go to Authentication > Servers and click Add.
  2. From the Server type list, select RADIUS server.
  3. Enter a name.
  4. Type an IP address.

  5. Specify the settings.

    Option Description
    Authentication port Port to use for authentication. The default value is 1812.
    Time-out Time within which the authentication must be completed.

    Acceptable range: 1 to 60 seconds
    Enable accounting Enable accounting on the RADIUS server. The firewall sends accounting start request and time to the server when the user logs on, and accounting stop request and time when the user logs off. Supported client types: Windows client, HTTP client, Linux client, Android, iOS, iOS HTTP client, Android HTTP client, API client.

    Note: The accounting stop message isn't sent to the server when the firewall shuts down or restarts.
    Accounting port Port number to use for sending accounting information from the firewall to the RADIUS server. The default value is 1813.
    Shared secret Text string that serves as the password between the client and server.
    Domain name Creates a local entry automatically in the format user@domainname when users sign in.

    We recommend specifying a domain name when you use both AD and RADIUS servers for authentication. For example, you may use AD as your primary authentication method but use the RADIUS server for VPN or multi-factor authentication.
    Group name attribute Alias for the configured group name shown to the user.

    Note

    If a domain name isn't configured, the RADIUS server creates a user without a domain name. This creates duplicate local entries if you authenticate with both AD and RADIUS servers since the AD server creates user records with the domain name (example: user@domainname).

  6. Click Enable additional settings and specify settings.

    Option Description
    NAS-identifier String identifying the NAS originating the access request, for example an FQDN.
    NAS-port-type Type of the physical port of the NAS that is authenticating the user.

  7. Click Test connection to validate the user credentials and check the connection to the server.

  8. Click Save.
  9. Go to Authentication > Services and select servers to use for service authentication.