Skip to content

RADIUS settings

RADIUS allows you to configure the device’s RADIUS server settings. A RADIUS server provides user-based authentication to improve security and control wireless device access. The access point can authenticate users before they can gain access to the network. You can set a primary and a secondary RADIUS server for each wireless frequency.

Restrictions

When you configure an access point with a mesh network, the following restrictions apply:

  • You can only configure a primary RADIUS server for each wireless band.
  • You can't use the internal RADIUS server.

RADIUS server (2.4 GHz, 5 GHz, 6 GHz)

You can configure the following options for the primary and secondary RADIUS servers on the 2.4 GHz, 5 GHz, and 6 GHZ wireless bands.

  • You can choose one of the following for RADIUS type:

    • Internal: Use the access point's built-in RADIUS server. See Internal server.

    • External: Use an external RADIUS server. If you choose External, you must configure the following options:

      • RADIUS server: Sets the IP address of the external RADIUS server.
      • Authentication port: Set the UDP port you want to use for RADIUS authentication. You must choose a port between 1 – 65535. The default is 1812.
      • Shared secret: Enter a shared secret 1 and 99 characters in length.
      • Session timeout: Set a session timeout duration between 0 and 86400 seconds. The default is 3600.
      • Accounting: Turns RADIUS accounting on or off.
      • Accounting port: Set the UDP port you want to use for RADIUS accounting. You must choose a port between 1 and 65535. The default is 1813.

Sophos Central management

Sophos Central allows you to configure a RADIUS server for each SSID that uses an enterprise authentication method. AP6 series access points support a single RADIUS server for each frequency band, but each server must be on a separate SSID. If you assign multiple SSIDs with different RADIUS servers to an AP6 access point, you can see the following behavior:

  • Sophos Central assigns the RADIUS server you configure as the RADIUS server for each frequency band configured for the SSID.
  • When you assign an SSID with enterprise authentication and RADIUS configured on the same frequency band, the update overwrites the existing RADIUS server with the new SSID RADIUS server configuration.

Example

You have an existing SSID, EXAMPLE-ONE, configured to broadcast on the 2.4 GHz frequency band and set the primary RADIUS server to 192.168.1.1. You create a new SSID, EXAMPLE-TWO, configure it to broadcast on the 2.4 GHz and 5 GHz bands, and set the primary RADIUS server to 192.168.2.2. When you assign EXAMPLE-TWO to an access point that also has EXAMPLE-ONE assigned to it, the RADIUS settings on the 2.4 Ghz band for EXAMPLE-TWO will overwrite the RADIUS settings for EXAMPLE-ONE. You'll see 192.168.2.2 as the primary RADIUS server for both SSIDs.

More information