User Portal Auth Not Working

Hello,

 

I finally migrated over from v17 to v18.

 

I use the VPN functionality so it is critical the users can log into the User Portal to download the required assets for remote access.

 

Since migrating to v18 I cannot get ANY authorized users to log into the User Portal.  I check the log and it says credentials are invalid.  But they are not!!

 

I spun up a clean VM of v18, created a user and no problem logging into the User Portal.

I then restore my previous v18 config and once again the User Portal is locked out.

 

Another issue I am having is I cannot delete a user.  This uses was an AD user and when I try to delete I get a message stating that the user has a firewall rule, web rules etc associated with it.   I searched EVERYWHERE and cannot find the reference.

 

Any help would be HIGHLY appreciated.  I have already spent way too much time on this.

 

Thank You,

 

Peter Geremia

 

Ps.  I am dreading my only alternative which is to hand build from scratch....

  • Hi  

    As you mentioned you are using VPN, If user is selected in "Sophos Connect Client" (Remote access VPN" then also you may not able to delete the same.

    For login failed due to "Invalid Credential Error" you may confirm the access_server debug logs and you may collect the PCAP on AD server IP on XG and re create the error or issue and confirm the logs during issue timestamp.

    1) #service access_server:debug -ds nosync ( Same command will revert the status of service to normal)

    2) PCAP KBA:

    https://community.sophos.com/kb/en-us/127647

  • In reply to Vishal_R:

    V 18 implemented a new Service source for user portal.

    If you have multiple authentication server, check authentication - services, if the User portal authentication, the correct source for authentication is selected. 

  • In reply to Vishal_R:

    At this point I removed the AD server.  I changed all auth (under Authentication/Services) to local auth.

    I created a NEW user.

    I cannot log into the User Portal.

    Again as I mentioned before doing the same on a FRESH copy of V18 and I can create the user and log into the User Portal.

    Any help would be HIGHLY appreciated as I am dreading the rebuild from scratch.

    I have a TON of items in Hosts and services that would all have to be reentered manually.   And I have a lot of firewall rules as well.

    Thank You,

    -Pete

  • In reply to LuCar Toni:

    I really dumbed down this use case by removing AD from my v18 instance and changing all auth to local.

    1. I still cannot log into the User Portal even with a newly created user account.

    2. I still cannot delete the old account because it says it is in some firewall rule etc.  I checked everything and cannot find reference.

    I think the two issues may be related.

    I have a feeling this is a migration issue.  I migrated from 17.5 to 18.0.1.  Maybe something went wrong.

    How can I debug this?

    Thank You,

    Pete

  • In reply to Peter Geremia:

    In cases like this if I have to completely reconfigure my firewall from scratch, is it possible to export things like firewall and NAT rules as well as hosts and services?

    If I could do that then a rebuild would not be as painful.

    I do believe this issue has something to do with the migration from 17.5 to 18.

    Thank You,

    Peter Geremia

  • Hi Peter,

     

    Try the below. I had the same issue and figured out that the MAC BINDING was enabled under AUTHENTICATION->SELECT THE USER and it was blocking the credentials. Try disabling it and then see if the user can login, if you need it on then enable it after they have logged in and it will save the new mac address, but they will need to use that mac when connecting again so if they connect via LAN they wont be able to connect via WLAN unless you create a list under the ENABLE section. 

  • In reply to KyleVM:

    Hello,

     

    Well I finally figured it out.  I guess I turned on One-Time Password (for all users).  I did not realize that even if you dont DEFINE a OTP for a user, it is still expecting one!!!!

    Once I shut off OTP I could log in.

    I will turn it back on and make sure I define OTP for all users..

    Thanks for the help.  I appreciate it!

    -Pete