Create 802.1x Wireless Network with Sophos UTM Access Points


Step-by-step guide



  • UTM with Wireless Protection Subscription
  • Sophos Access point
  • Windows Server 2012 or newer

Windows Server required Roles & Features:

  • Active Directory
  • Active Directory Certificate Services
  • Network Policy and Access Services

This article assumes the following:

  • You have Active Directory installed and configured on your network
  • You have the Network Policy and Access Services role installed
  • You have a configured certificate authority or have a valid certificate you wish to use with NPS (Radius)
  • Your AP is connected and functional on your UTM



1. Wireless Security Configuration

  1. Click on Wireless Protection > Global Settings > Advanced tab.
  2. Under the Advanced tab you must enter your Radius server, Radius port and your shared secret (this will be created by you)


IT Support Sydney


2. Configuring RADIUS on your Windows Server

Authorise your Network Policy Server with your Active Directory

Radius Client Setup:

  1. Open Network Policy Server > Radius Clients and Servers > Radius Client 
  2. Right click and select ‘New’
  3. Fill in like the image below with your Sophos UTM IP address and the shared secret you just created on the UTM and click Apply.


IT Support Sydney



Connection Request Policies:

  • Click on Policies

IT Support Sydney

  • Click ‘Connection Request Policies’.
  • On the right, under Actions, click ‘New’.
  • Enter a name, in our example we have called it “wireless”.
  • Click Next.
  • Now add the following conditions:
  • Client Friendly Name: Name of the RADIUS client – in our case UTM
  • NAS Port Type: Wireless – IEEE 802.11
  • NAS Identifier: SSID of your wireless network – i.e. mywirelessnetworkname




IT Support Sydney

  1. Click OK
  2. Click Next, then hit Finish – The default settings are fine for the rest of the configuration.


Network Policies:

Click Network Polices

  1. On the right hand side, click ‘New’.
  2. Name it, preferably the same as the Connection Request Policy
  3. Click Next
  4. Click Add
  5. Choose how you want to users to authenticate. For this, we are using the Domain ‘Users Groups’.
  6. Click Next until you arrive at Configure Authentication Methods
  7. We will use PEAP. Click Add and choose Microsoft: Protected EAP (PEAP)

    IT Support Sydney


  8. Choose the authentication method as shown above
  9. Click Next until you arrive at Configure Constraints
  10. Under NAS Port Type choose Wireless – IEEE 802.11

    IT Support Sydney


  11. Click Next, then Finish.


3. NPS Certificates:

Please make sure the certificate you are using has a valid subject as in the following screen shot – this can be found by Run > mmc > Add/Remove Snap-in > Certificates > Computer > Personal and then double click the RAS and IAS Server certificate you created earlier.

IT Support Sydney

You can use your current certificate but we recommend creating a separate RAS and IAS certificate template if your Radius server is on the same machine as your Domain Controller. If you renew your Domain Controller cert it can stop authentication via Radius

The following links point to a few Microsoft KB articles describing how to deploy a CA and NPS Server Cert. You must follow the below links in order. Remember, this document outlines a fresh configuration. Please tailor this section according to how you have your certificates setup.



      1. Deploy a CA and NPS Server Certificate
      2. NPS Server Certificate: CA Installation
      3. NPS Server Certificate : Configure the Template and Autoenrollment