With Sonar's pass-through authentication option, users only have to log in to their device once; they should no longer have to log in to Sonar manually to get to the Internet.

Login credentials used to either log into Windows or your Wireless Network are used by Sonar as an identifier that validates the user the moment they log in to the domain.

This feature allows desktop computers and laptops to be automatically authenticated when they connect to the network. It also provides an easy and convenient way for iOS and other mobile devices to be authenticated against Sonar.


The Sonar Authentication Monitor runs as a Windows Service that monitors login events on a domain controller. When the service detects a login event, it notifies Sonar that someone has logged in and authenticates the user. Sonar then logs the user out after a certain amount of time (one that you can set yourself) or when another user logs into the same computer or device.

If, for whatever reason, the Authentication Monitor was not able to identify who the user is on log in, Sonar will prompt the user to authenticate manually when they first try to access the Internet. This is AD Pass-through's basic fall back authentication method, which can also be used as an authentication type.

WHAT YOU NEED: A Windows 2008 R2 or greater. If any Domain Controllers are running a lower version, this can result in unpredictable behaviour. 

  • Administrator privileges on the Domain Controller on which you are installing the Authentication Monitor. 
  • Make sure the Domain Controller and Sonar are set to the same time to prevent any premature log off events. 
  • If you're using the Authentication Monitor to log mobile devices in with RADIUS credentials, you'll need to ensure your DHCP server is running Windows 2008 R2 (or later) and make sure the Network Policy Server role is installed and configured on a Domain joined server. See this link: http://technet.microsoft.com/en-us/library/ff919513(WS.10).aspx
  • Sonar 3.2.13 or higher (Sonar 3.2.14 is required for RADIUS)
  • You'll need to also make sure that your server has the following packages installed: .NET Framework 4.0or higher and C++ Redistributable 2010 both x86 and x64 versions.  


The first thing you'll need to do is log into the Domain Controller with a user account that has administrative privileges (Make sure you connect each of your Active Directory Domain Controllers in turn if you have more than one; the monitor must be installed on all Domain Controllers as client machines can use any of them). 

Launch the Sonar admin page (<sonar's IP>/admin.html) and download the Authentication Monitor install package (under Downloads).


  • Run the installer to start the process. The Authentication Wizard will be launched, and will guide you through the installation process.


  • When you are prompted to enter Sonar details, type in Sonar's IP Address and port. By default, it is port 80. If you have multiple Sonar devces, you can put in more then one IP (separated by a comma).

  • If this server has the Network Policy Server role installed for RADIUS, insert the IP address of your DHCP server below (or localhost if this machine is also your DHCP server). If you have split-scope DHCP, enter one address here (we can manually at the other(s) later).

  • The Username and Password fields are only required if this server hosts the NPS role AND is NOT the DHCP server.


Complete the installation with the default values, but if you'd like to change the path of the installation directory, do so on the appropriate step.



Once the installation has been completed, the Sonar Authentication Service should now be installed a Windows Service which you will have to start manually. You can do this by going into Administrative Tools -> Services

In the Windows Services window, right-click the "BlueReefPassthroughMonitor" service and select "Properties".  

Change the Startup Type to 'Automatic', and press 'Apply'.


For NPS servers (performing the RADIUS role), there are a couple of other steps required. If the DHCP role is NOT being performed on this server, you will need to configure the Blue Reef service to run with Domain Administrator privileges. This is required because the service needs to query DHCP, and Windows does not allow anything less than Domain Administrator to do this. 

From within the BlueReefPassthroughMonitor Property sheet (see above step for reference), set the 'Log on as' to 'This account:', and enter a privileged account's details as shown below (domain forward-slash username).


When the Authentication Monitor service registers with Sonar for the first time, it is disabled. You must enable it before AD Passthrough authentication will work.

In the Sonar GUI, navigate to Network -> Authentication Servers -> Domain Authentication Monitor.

The IP Domain Controller you installed the Pass-through agent will appear in the list. Highlight this and click "Enable/Disable". This will enable the monitor on Sonar. 

Also in this window you can adjust the Login Timeout Value which is the period after which the user is automatically logged out of Sonar (8 hours by default).

If you want to use Blue Reef's AD Pass-through authentication type to be the default authentication type, you can navigate to System -> System Settings in the GUI and change the "Authentication Type" to "ad_pass_through". This will set the authentication type GLOBALLY. 

For specific IP Ranges or hosts, navigate to Network -> Authentication Servers -> Authentication Type in which you can configure a specific host or subnet to use AD Pass-through authentication. Authentication types can be mixed in this window using subnet ranges. 


You can choose to uninstall the Authentication monitor using the standard Windows Programs and Features. Before uninstalling, however, it is highly recommended STOPPING the pass-through service first, under Administrative Tools -> Services and right clicking the service and selecting Stop.


While this service runs smoothly across most platforms, there are some issues regarding AD Pass-through that are currently still being looked into.

  • Multiple DHCP Servers - if your environment has multiple DHCP servers, users may experience difficulties when trying to log in using RADIUS. The system was not originally designed to communicate with than one DHCP server in any given environment, so this functionality is not currently supported. This issue is currently being looked into and will be addressed in the near future.
  • Multiple AD Domains - If your enviroment has multiple AD Domains, users may experience difficulties when trying to log in using RADIUS. The system was not originally design to communicate with more than one AD Domain in any given enviroment, so this functionality is currently not supported. We are looking to address this in the near future.