Skip to main content

Set up RADIUS Authentication for BYO devices

Updated

Smoothwall On-Premise Appliance can act as a RADIUS Accounting service and, if connected to Active Directory, a RADIUS Authentication service for tracking and managing BYO device sign-ins over Wi-Fi.

Before you begin

Ensure you meet the following requirements:

  • Your Wi-Fi system supports Enterprise Authentication (802.1X).
  • You have one of the following:
    • An on-site Active Directory (AD) server.
    • Another service that provides RADIUS authentication.
  • Your Wi-Fi controller or access points support communication with a RADIUS server.

Step 1: Deploy the CA certificate to devices

Install the BYOD CA certificate on devices to prevent certificate errors and allow HTTPS Inspection:

  1. Go to Services > Authentication > BYOD.
  2. In the Certificates section, select Download CA certificate.
  3. Deploy the certificate to devices. Install it directly or send it to device users via a secure method so they can install it themselves. Refer to your device type instructions for installing a new CA.

  Note

Some devices have a Do not validate the certificate option. Although this method is easier to set up, it is less secure.

Step 2: Configure the Wi-Fi network

In your Wi-Fi controller settings:

  1. Turn on RADIUS Authentication and Accounting. Depending on your setup, configure this in a Security Profile or directly in the SSID settings.
  2. If you use a separate RADIUS authentication source, select Smoothwall as the service that handles accounting so it can track sign-ins.
  3. Configure RADIUS:
    • Server IP: Use the IP address of your Smoothwall Appliance.
    • Shared secret: Create a shared key for both your controller and Smoothwall Appliance to use.

Step 3: Allow RADIUS traffic through the Smoothwall Firewall 

Create a Smoothwall access rule:

  • For Destination IP address, select the IP address your Wi-Fi controller or access points use to send RADIUS traffic.
  • For Services, select RADIUS accounting (1813) and RADIUS authentication (1812).

Step 4: Add the Wi-Fi controller as a RADIUS client

  1. Go to Services > Authentication > BYOD.

      Tip

    You can also set BYOD Access control rules for specific groups from this page.

  2. If you have a large-scale environment, select the BYOD Optimisation checkbox if available. If this checkbox is already selected, don’t clear it.
  3. Add the RADIUS Client:
    1. In the Authorized RADIUS clients section, select Add new RADIUS client.
    2. Ensure the Enabled checkbox is selected.
    3. Enter a Name.
    4. Enter the IP address of your Wi-Fi controller. If you have IP ranges, subnets, or access points that send RADIUS
    5. traffic directly, also add these.
    6. Enter the Shared secret you created, and enter it again in the Confirm field.
    7. Select Add.

Step 5: Check the setup

Check for successful RADIUS sign-ins

Go to Services > Authentication > User activity and ensure you can see the new sign-ins.

For additional details:

  1. Go to Reports > Realtime > System.
  2. Select Authentication Service from the Section dropdown to view RADIUS sign-in events.

Confirm the source of RADIUS traffic

Check that traffic is coming from the correct source:

  1. Turn on auditing:
    1. Go to Network > Settings > Advanced.
    2. In the Networking features > Audit section, select the checkbox for Direct incoming traffic.
    3. Select Save changes.
  2. Generate RADIUS traffic by signing in to the RADIUS-enabled Wi-Fi SSID.
  3. Check the Realtime Firewall logs:
    1. Filter by Destination port 1812 and port 1813.
    2. The Source IP column shows whether RADIUS traffic comes from the access points or the Wi-Fi controller