Sophos XG Firewall: SSL VPN - Login failed. Wrong fingerprint of certificate.

Question

Hi there,

In an XG 115 with the software 18.5.1 MR-1-Build326 I entered several users under Authentication / User, only the entry that was entered with an older firmware is still able to log in via SSL. All users who are now entered are rejected with AUTH errors, so they cannot log in. I compared all entries, they are identical except for the relevant entries. The simple LOG entries are 'reason = "wrong credentials", but I can log in with the same access data, e.g. via the user portal.

In the forum I found the following entries to diagnose errors:

Select Option 5 (Device Management) > Option 3 (Advance Shell)
Run this command to put the access_server service in debug:
•   service access_server:debug -d -s nosync
Once you capture the access_server logs in debug, run the same command to put access_server service in normal running mode.
Run this command to check service status :
•   service -S | grep access_server
SFVUNL_VM01_SFOS 17.5.11 MR-11# service -S | grep access_server
access_server RUNNING,DEBUG

Using the command 'tail –f /log/access_server.log I was able to extract the following error:

ERROR     Oct 22 19:49:30.431855 [access_server]: pg_db_handle_check_crt_fingerprint: row count: 1 value 0
DEBUG     Oct 22 19:49:30.431868 [access_server]: pg_db_submit_response: Request Processed: res_type=-1
WARNING   Oct 22 19:49:30.431881 [access_server]: (check_crt_fingerprint): wrong fingerprint for user test1
DEBUG     Oct 22 19:49:30.431893 [access_server]: (send_pam_response): resp_code =3, clienttype=13, message='Login failed. Wrong fingerprint of certificate.'
DEBUG     Oct 22 19:49:30.431905 [access_server]: send_pam_response: message:'Login failed. Wrong fingerprint of certificate.', len:47, data:'Login failed. Wrong fingerprint of certificate.'

The user 'test' created with a different firmware version can log in with the same certificate without any problems. What has changed with the newer firmware versions that newer user entries can no longer connect or how can I prevent these errors?

I am grateful for every tip.

regards

Gerd Beckmann

This thread was automatically locked due to age.

Gerd Beckmann1 · Accepted Answer

Hello support and to everyone who dealt with my problem, 
 in the end I have to say that the fault was mine. I did not follow the correct order in which the authentication parameters were set up, and I probably did not read the manual very carefully either. 
 So here is the correct procedure: 
 1. Create user under Authentication / Users (group assignment etc.) 
 2. Log in to the user portal with this newly created user 
 3. Download the configuration under SSL VPN client 
 At this moment the XG will create and provide a user certificate, which can be seen under Certificates. 
 The login process is now possible. 
 It has already been described here: 
 community.sophos.com/.../per-user-certificate-how-to 
 
 In any case, I will never forget it. 
 Thank you again and have a great time! 
 Gerd

emmosophos · Answer

Hello Gerd, 
 Most likely the new users, are using in their password some invalid characters such as #,%, etc. 
 Try creating a new user with a simple password without special characters, see if that resolves the issue. 
 Regards,

Sophos XG Firewall: SSL VPN - Login failed. Wrong fingerprint of certificate.

Top Replies