This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN client unable to authenticate with OTP

We have Sophos XG125 firewall with the current firmware SFOS 18.0.5 MR-5-Build586.

Users have been imported from on-prem AD and are currently using L2TP VPN to connect remotely. The goal is to switch them to more secure SSL VPN with OTP (one-time password, aka MFA).

We are using Sophos Connect SSL VPN client current version:

Problem is, I can configure OTP/MFA for a local (non-AD synced) firewall account with Microsoft Authenticator app, and use it to connect via SSL VPN without any issues. But I cannot do the same with AD-synced accounts. I am able to go as far as the OTP setup, and can sign in to the firewall's User Portal WebUI with the OTP code. But I cannot connect with the SSL VPN client... getting authentication failures like this:

messageid="17711" log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Failed" user="NAME REDACTED" user_group="" client_used="N/A" auth_mechanism="Local,AD" reason="wrong credentials" src_ip="IP ADDRESS REDACTED" message="User NAME REDACTED failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials" name="" src_mac=""

Any suggestions would be helpful!

This thread was automatically locked due to age.

Top Replies

FormerMember over 4 years ago +1

Hey, Thanks for reaching out to Sophos Community Can you check whether the AD server is selected for the SSL VPN authentication? Navigate to Authentication > Services > 'SSL VPN authentication methods…

0 FormerMember over 4 years ago

Hey, Thanks for reaching out to Sophos Community

Can you check whether the AD server is selected for the SSL VPN authentication?

Navigate to Authentication > Services > 'SSL VPN authentication methods' and ensure that the on-prem AD server is selected.

Also, confirm that in the log viewer authentication events, Do you see the username with the @domianname or just the username? (of the failed auth event)

0 Service TAG over 4 years ago in reply to FormerMember

Hello Devesh, thank you for the reply.

- On-prem AD server is indeed selected in SSL VPN auth methods as a secondary source (Local is primary)

- Failed authentication log entry looks like this:

2021-08-17 22:25:10

SSL VPN Authentication

Failed

username@ourdomain.ca

[public IP]

N/A

Local,AD

User username@ourdomain.ca failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials

17711

- Interestingly enough, another tech trying the same account sign-in from a different PC and IP address gets authenticated correctly, but only on the second attempt:

Authentication	2021-08-18 01:28:40	Firewall Authentication	Successful	username@ourdomain.ca	[Local IP]	SSLVPN		User username@ourdomain.ca of group [Group name] logged in successfully to Firewall through authentication mechanism from [Local IP]	17701
Authentication	2021-08-18 01:28:39	SSL VPN Authentication	Successful	username@ourdomain.ca	[Public IP]	N/A	AD	User username@ourdomain.ca authenticated successfully to login to SSLVPN through AD authentication mechanism	17710
Authentication	2021-08-18 01:27:37	SSL VPN Authentication	Failed	username@ourdomain.ca	[Public IP]	N/A	Local,AD	User username@ourdomain.ca failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials	17711

Any other suggestions?

0 FormerMember over 4 years ago in reply to Service TAG

Hey, Sorry for the late response, This post didn't show up in my feed. Can you check the Access_server logs for this behavior?

Get the SSH Access. Navigate to Option 5 > Option 3 Advanced shell --> tail -f /log/access_server.log

Attempt to login and share the logs