Heartbeat authentication failed : username without domain name maybe the cause- Live users disappear but still connected to vpn

Hello Julian,

Thank you for contacting the Sophos Community.

What do you see in the /log/access_log.log for this user?

For the SSL VPN you’re using two different types of authentication? 

As a suggestion, if you’re using Heartbeat and STAS for authentication, try to stick to only one type of authentication for the same segment of devices.

Regards,

Hi emmosophos,

I need to wait the next event to check in access&***;log, i will check today.

For VPN no we just use the AD authentication but when a user is connected using ssl, the authentication is SSL VPN but thought the AD. Some rules are created by using users

To avoid to have 2 authentication with STAS and SSLVPN for the same IP i added the subnet of the SSLVPN to the excluse subnet in STAS. 

But i have a lot of error for heartbeat in authentication TAB, for me i don't have any problem to use only the heartbeat for authentication of this user but how can i solve the error with heartbeat authentication? Why there is a lot of error? (Only error, never it's ok for heartbeat)

Thank you

Heartbeat uses a different auth method. The endpoint will strip the SAMAccountname and the used Domain and send it to the XG.

XG will look for a matching AD Server for this particular Domain.

If you are using .local internally but the endpoint strips .com, this causes this problem. 

If the Logviewer shows a Auth error because of no finding AD Server, this could be the issue. 

Hi,

The AD server working well and as i shown the authentication with VPN or STAS work fine. Why not with heartbeat? 

Hi,

The AD server working well and as i shown the authentication with VPN or STAS work fine. Why not with heartbeat? 

Please show your Logviewer screenshot of those failed logins. 

Oups here 

Seems like this user cannot be authenticated vs any AD configured in XG. Compared to the SSLVPN authentication, do you see a difference? in the Domain or something like that. 

For SSLVPN i configured it in authentication/service and select all AD Server, for heartbeat i don't found any option to change or configure. I don't understand why it can't have a successful authentication it's the same user and same server. 

XG tries your username (SAMAccountname) and fires it against all AD server, you configured on XG. Seems like 3 different AD Server are configured. 

It is important to notice the used domain on the XG in AD Servers. This will be attached and used against this AD server. Seems like this does not work. 

Looking at SSLVPN, it looks like it uses a UPN (Accountname + domain + top level domain). 

We have one domain with multiple subdomain it's why we have multiples AD servers. I need to use all AD in my case. It's working fine for SSL, why not for heartbeat? I assume that when you connect using sslvpn, XG will try all AD server..  

It seems like the user use the sub domain, which is not created on the XG? 

Yes all user is created and work because it's a user who use the VPN, the authentication work, in  this case the user is created on the xg but i don't know why the username isn't recognized  ?! so strange 

Let me rephrase my point: 

Endpoint extract the Username and the domain. 

Sends it to XG.

XG looks up the matching domain in the list of AD Servers. 

Sends AD user name to the matching AD Servers. 

The used domain on the endpoint could be different to the domains on the XG. 

Ok but how can i specify the domain to use? I don't understand why when we make a ssl connection, we just type the username and sophos can found the good domain to use...