Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 10754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Authentication Agent - You are not allowed to log in from this machine

apijnappels

After trying to log in the CAA I get this message.

Credentials are AD domain credentials. I have tried both with OTP and without (after toggling OTP for user portal ON/OFF) but it makes no difference, in both cases I get the same message.

If I do enter an incorrect password, it will tell me Invalid username/password, so it looks like the password entered is correct.

Under Administration - Device Access I have enabled Client Authentication on LAN zone (which is where the client is also connecting). I have also enabled AD SSO on LAN zone to see if that changes anything but it doesn't seem to make a difference.

What am I missing?



This thread was automatically locked due to age.
  • 0

    Do you have simultaneous logins active? authentication - Services

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have it configured exactly as shown in your screenshot, so I assume that shouldn't be the problem..

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    What about the user itself? There are also configuration to login? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That is configured as "Use global settings", hadn't seen that screen yet though (due to auto import from AD).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • +1 in reply to apijnappels

    Found the reason... For some reason the option "Mac Binding" was enabled on the AD imported groups and after that also on the authenticated user.

    Authentication worked only from the first MAC-address which was immediately set as the only MAC-address from where the user was able to login. 

    Now disabled it for the users and also on the imported AD groups.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML