Use these settings to turn on wireless protection, set notification time-out, and configure a RADIUS server for enterprise authentication.
Network zones that permit access point connectivity. You can set up access points in the specified zones.
The time, in minutes, between when an access point goes offline and when the firewall sends a time-out notification. After the specified time, the access point will be considered inactive.
RADIUS server to use for enterprise authentication. Access points communicate with the firewall, not the RADIUS server, for authentication. Port 414 is used for RADIUS communication between the firewall and access points. Access points send accounting information on port 417 to the firewall. The firewall then forwards the information on the configured accounting port 1813 to the RADIUS server. Interim accounting updates are not supported. Accounting Request or Accounting Response contains accounting-related information. It is separate from access request, response, or challenge.
You must set up the wireless network with 802.1x authentication.
You must turn on accounting for your RADIUS server. RADIUS accounting is supported on all APX access points and Wi-Fi enabled devices.
You must add a network address translation policy for the access point networks when the RADIUS server is connected to the firewall through an IPsec tunnel. The policy translates the source IP address to the IP address of the firewall used to reach the RADIUS server. Configure the policy by using the shell. See
sys-traffic-nat on advanced-firewall.
Secondary RADIUS server
A backup RADIUS server for enterprise authentication when the firewall can’t access the primary RADIUS server.
The following restrictions apply to the secondary RADIUS server:
- Sophos APX series and Wi-Fi enabled devices can access only the primary RADIUS server.
- Sophos XGS Firewalls don't support a secondary RADIUS server.