Using XGS 6500 with Sophos connect client (2.1/2.2). If someone mistypes their password just once whilst logging in to the VPN it locks the AD account. AD logs suggest 4 failed attempts by the firewall to authenticate against 2 domain controllers.
Is this a setting anywhere? Surely one failed attempt (0x0000234) should result in a rejected login?
I've not attempted to increase the domain setting for failed attempts before lockout but has anyone had any experience of this issue?
Can you check on the Log viewer under authentication? and check how many authentications it did try on one session.
A possible cause might be is, after failing from DC1 it’ll try to authenticate…
A possible cause might be is, after failing from DC1 it’ll try to authenticate on DC2 and so on until it gets lockout.
Erick JanCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Erick Jan said:A possible cause might be is, after failing from DC1 it’ll try to authenticate on DC2 and so on until it gets lockout.
yes, sounds just like that.
duggan1 can you post your SFOS version, please.
One entry in the log viewer for authentication failure, multiple on the DCs as I mentioned. We've got 2 DCs configured on the firewall, and the bad pwd count is always the same, 3 on the first DC listed and one on the second. It's definitely trying both, but surely on a 6A (bad password) return code it should stop? Something isn't right.
SFOS is 18.5.2 MR2 build 380.
Hello duggan1,Please upgrade the firmware to the latest release i.e. v18.5.4 MR-4> https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr4-is-now-available
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Yeah planning to. Is this fixed in a later release? Don't see anything in release notes about it.
Upgraded to 19.0.1 MR1, problem still exists.
Adding to what has been mentioned, do you use OTP for SSL VPN?Regards,
We do indeed.
Have worked around it by increasing the lockout threshold on the AD but it's still odd behaviour to my mind.