Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

How to configure RADIUS authentication

You can add existing RADIUS users to the firewall. To do this, you add a RADIUS server and set the primary authentication method.

Note

The settings we specify in this document are examples. For more detailed information on RADIUS server settings, see Add a RADIUS server.

Objectives

When you complete this unit, you'll know how to do the following:

  • Add and configure a RADIUS server on the firewall.
  • Set the primary authentication method so that the firewall queries the AD server first.

Add a RADIUS server

Add a RADIUS server that includes a shared secret and group name attribute.

You’ll need the following information to complete this task:

  • RADIUS server shared secret
  • RADIUS server group name attribute

  • Go to Authentication > Servers and click Add.

  • Specify the settings.

    Note

    For settings not listed here, use the default value.

    Use the shared secret and group name attribute that are configured on the RADIUS server.

    The settings below are examples.

    Option Value
    Server type RADIUS server
    Server name SF_RADIUS
    Server IP 192.168.1.102
    Authentication port 1812
    Time-out 3 seconds
    Enable accounting Yes
    Accounting port 1813
    Shared secret <RADIUS server shared secret>
    Group name attribute <RADIUS server group name attribute>
  • Click Test connection to validate the user credentials and check the connection to the server.

  • Click Save.

Set primary authentication method

To query the RADIUS server first, you set it as the primary authentication method. When users sign in to the firewall for the first time, they're automatically added as a member of the default group specified.

  1. Go to Authentication > Services.
  2. In the authentication server list, select SF_RADIUS.
  3. Move the server to the first position in the list of selected servers.

    RADIUS server as primary authentication server.

  4. Click Apply.

Test the configuration by signing in through the captive portal with user credentials from the RADIUS server. You can access the captive portal at https://<IP address of Sophos Firewall>:8090.

Sign in through the captive portal.