Skip to main content

Set up RADIUS Authentication or Accounting for BYO and managed devices

Updated

Smoothwall Appliance can act as a RADIUS Accounting service to track authentication and, when connected to Active Directory, a RADIUS Authentication service for managed or unmanaged device sign-ins over Wi-Fi.

Alternatively, you can set up RADIUS Accounting only to match web activity to the user (via username) rather than the device (via IP address), alongside another service that provides RADIUS authentication, such as Azure Directory, Google Directory or IDex.

Before you begin

Ensure you meet the following requirements:

  • Your Wi-Fi system supports Enterprise Authentication (802.1X).
  • You have one of the following:
  • Your Wi-Fi controller or access points support communication with a RADIUS server.

Set your global Authentication Settings as required.  

  • Select the checkbox for Normalize usernames.
  • If your Smoothwall Appliance is used as your firewall, select the Users identified by BYOD are subject to firewall rules that make use of groups checkbox.
  • If you use the same directory across multiple sites and want to share the authentication status of users between Smoothwall Appliances (for example, in a centrally managed setup), enter the IP addresses of your other Smoothwall Appliances into the Cluster nodes field.

(Optional) To configure the Smoothwall Firewall to be the DHCP server, ensure DHCP is on and set up a DHCP subnet.

1: Deploy the CA certificate to devices

Skip this step if you are only setting up RADIUS Accounting.

Install the BYOD CA certificate on devices to prevent certificate errors and allow HTTPS Inspection:

  1. Go to Services > Authentication > BYOD.
  2. In the Certificates section, select Download CA certificate.
  3. Deploy the certificate to the devices. Install it directly or send it to device users via a secure method so they can install it themselves. Refer to your device type instructions for installing a new CA.

  Note

Some devices have a Do not validate the certificate option. Although this method is easier to set up, it is less secure.

2: Configure the Wi-Fi network

Configure the following in your Wi-Fi controller settings. Please refer to your provider’s documentation for details.

  1. Turn on RADIUS Accounting and if you’re using it, RADIUS Authentication. Depending on your setup, configure this in a Security Profile or directly in the SSID settings.
  2. If you use a separate RADIUS authentication source, select Smoothwall as the service that handles accounting so it can track sign-ins.
  3. Configure RADIUS:
    • Server IP: Use the IP address of your Smoothwall Appliance.
    • Shared secret: Create a shared key for both your controller and Smoothwall Appliance to use.

3: Allow RADIUS traffic through Smoothwall Firewall 

Create a Smoothwall Access rule:

  • For Source IP address, select the IP address your Wi-Fi controller or access points used to send RADIUS traffic.
  • For Services, select RADIUS accounting (1813), and if you will be using RADIUS Authentication, RADIUS authentication (1812).

4: Add the Wi-Fi controller as a RADIUS client

  1. Go to Services > Authentication > BYOD.

      Tip

    You can also set BYOD Access control rules for specific groups from this page.

  2. BYOD Optimisation can improve traffic handling speeds in environments with large amounts of BYO device traffic. For the BYOD Optimisation checkbox:
    • If it is selected (the default setting in Maiden and beyond) and authentication is working as you expect, don’t clear it.
    • If you’re considering changing this setting, you must first contact the Support Team.
      • If you use IDex Agent to sync user credentials to your IDex Directory and encounter performance issues with BYO traffic, the Support Team may instruct you to ensure the checkbox is selected, among other actions. 
      • If you don’t use IDex Agent, BYOD Optimisation prevents usernames from being prefixed with the domain name, which can cause issues with User Group mappings and result in users being treated as unauthenticated
  1. Add the RADIUS Client:
    1. In the Authorized RADIUS clients section, select Add new RADIUS client.
    2. Ensure the Enabled checkbox is selected.
    3. Enter a Name.
    4. Enter the IP address of your Wi-Fi controller. If you have IP ranges, subnets, or access points that send RADIUS traffic directly, add these too.
    5. Enter the Shared secret you created, and enter it again in the Confirm field.
    6. Select Add.

5: Check the setup

Check for successful RADIUS sign-ins

  • If you are on Leeds:
    1. Go to Reports > Realtime > System.
    2. Select Authentication Service from the Section dropdown to view RADIUS sign-in events.
  • If you are on Maiden and later, check the Services > Authentication > User activity page and ensure you can see the new sign-ins.

Confirm your Appliance is receiving RADIUS packets

  1. Select the Log checkbox for the Smoothwall Access rule you created in Step 2.
  2. Generate RADIUS traffic by signing in to the RADIUS-enabled Wi-Fi SSID.
  3. Check the Realtime Firewall logs include RADIUS traffic:
    • Filter by Destination port 1813.
    • The Source IP column shows whether RADIUS traffic comes from the access points or the Wi-Fi controller.