Smoothwall On-Premise Appliance can act as a RADIUS Accounting service and, if connected to Active Directory, a RADIUS Authentication service for tracking and managing BYO device sign-ins over Wi-Fi.
Before you begin
Ensure you meet the following requirements:
- Your Wi-Fi system supports Enterprise Authentication (802.1X).
- You have one of the following:
- An on-site Active Directory (AD) server.
- Another service that provides RADIUS authentication.
- Your Wi-Fi controller or access points support communication with a RADIUS server.
Step 1: Deploy the CA certificate to devices
Install the BYOD CA certificate on devices to prevent certificate errors and allow HTTPS Inspection:
- Go to Services > Authentication > BYOD.
- In the Certificates section, select Download CA certificate.
- Deploy the certificate to devices. Install it directly or send it to device users via a secure method so they can install it themselves. Refer to your device type instructions for installing a new CA.
Note
Some devices have a Do not validate the certificate option. Although this method is easier to set up, it is less secure.
Step 2: Configure the Wi-Fi network
In your Wi-Fi controller settings:
- Turn on RADIUS Authentication and Accounting. Depending on your setup, configure this in a Security Profile or directly in the SSID settings.
- If you use a separate RADIUS authentication source, select Smoothwall as the service that handles accounting so it can track sign-ins.
- Configure RADIUS:
- Server IP: Use the IP address of your Smoothwall Appliance.
- Shared secret: Create a shared key for both your controller and Smoothwall Appliance to use.
Step 3: Allow RADIUS traffic through the Smoothwall Firewall
Create a Smoothwall access rule:
- For Destination IP address, select the IP address your Wi-Fi controller or access points use to send RADIUS traffic.
- For Services, select RADIUS accounting (1813) and RADIUS authentication (1812).
Step 4: Add the Wi-Fi controller as a RADIUS client
-
Go to Services > Authentication > BYOD.
Tip
You can also set BYOD Access control rules for specific groups from this page.
- If you have a large-scale environment, select the BYOD Optimisation checkbox if available. If this checkbox is already selected, don’t clear it.
- Add the RADIUS Client:
- In the Authorized RADIUS clients section, select Add new RADIUS client.
- Ensure the Enabled checkbox is selected.
- Enter a Name.
- Enter the IP address of your Wi-Fi controller. If you have IP ranges, subnets, or access points that send RADIUS
- traffic directly, also add these.
- Enter the Shared secret you created, and enter it again in the Confirm field.
- Select Add.
Step 5: Check the setup
Check for successful RADIUS sign-ins
Go to Services > Authentication > User activity and ensure you can see the new sign-ins.
For additional details:
- Go to Reports > Realtime > System.
- Select Authentication Service from the Section dropdown to view RADIUS sign-in events.
Confirm the source of RADIUS traffic
Check that traffic is coming from the correct source:
- Turn on auditing:
- Go to Network > Settings > Advanced.
- In the Networking features > Audit section, select the checkbox for Direct incoming traffic.
- Select Save changes.
- Generate RADIUS traffic by signing in to the RADIUS-enabled Wi-Fi SSID.
- Check the Realtime Firewall logs:
- Filter by Destination port 1812 and port 1813.
- The Source IP column shows whether RADIUS traffic comes from the access points or the Wi-Fi controller