Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 37 subscribers
  • Views 5513 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Admin login - Login failed (for GUI only)

JasP

I can login to XG with my administrator account (which uses AD and DUO 2FA) but recently had an issue where I needed to use the admin account and found it didn't work. I don't usually use admin login so I'm not sure when this broke.

The password is definitely correct as I can login to the console with it. It is being accessed via the LAN so it shouldn't be a captcha issue. I don't remember ever setting up MFA for that account and you can't check because the section for this says you have to be logged on as admin to view/change it! I did notice there was a MFA token for the admin account so I tried resetting that from the console

Still got the same issue when I tried to login to the GUI with the admin account (although the admin MFA token has been deleted).

The Admin log file just says "User admin failed to login to Web Admin Console because of wrong credentials"

Although I know the password is correct, I did try changing the password from the GUI and got the following:

Obviously HTTPS Device Access is enabled otherwise I wouldn't be able to login with my administrator account. I have the same issue with 18.5MR2 and 19.0EAP2

Where do I go from here? If my AD isn't available I need to be able to login with the admin account.



This thread was automatically locked due to age.
  • 0

    Hi JasP,

    Please try with below settings 

    Hope this might help 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    I did try some of these settings  (but forgot to mention it in my original post). I've now turned off everything as per you post but still can't login with admin. Thanks for the suggestion though.

  • +1 in reply to JasP

    Hi JasP, 

    If MFA is disabled under System --->Admininistration --->Device Access 

    RESET the admin password with console access and try  

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hurrah!

    The first part you can't do because you can only access that setting when logged in with the admin account, bit of a catch 22!

    However, resetting the password via the console generated a new MFA token and I was prompted to setup MFA when I then tried to login.

    Working through this now I have it working I have realised the following:

    • I had previously setup MFA for the admin account (I even found it in my authenticator app after this was fixed!) I had forgotten I had set it up because it is a new feature and I haven't used the admin account since I set it up six weeks ago and there is no visual clue that it is needed on the login screen.
    • Sophos, as usual, seems to have implemented this in a different way to everybody else! Any other website/application I have used, prompts you for the MFA on a second screen after you have entered your username and password. Having to add it the password is a bit of an opaque way of doing it and it doesn't make it obvious that MFA is required.
    • You can't see if MFA is turned on for the admin account if you aren't logged in with the admin account. Even if you don't want other admin accounts changing the setting, it should at least display if it is turned on or not.
    • Selecting Option 7 "Reset multi-factor authentication for Admin user" (see my first post) deletes the token for the admin account but doesn't cause the XG to prompt to setup MFA again. Is this a bug? I don't see the point of this option if it only deletes the token because all it is doing it in effect is breaking MFA for the admin account as without a token, MFA can't work.

    Thanks for your help with this . I realise now that the main problem was of my own creation but hopefully this post may be of use to someone else. It may also be that Sophos need to look at Option 7 again to see if it is working as expected.

Unfiltered HTML