This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to authenticate SSL-VPN - but Userportal & IPSec works - ver19.0

Hello, we have a peculiar effect.
We received a username/password error from AD when using SSL RAS VPN.
IPSec-RAS-VPN and user portal work.
We tried the "old" open vpn client and connect 2.2.xx

We chose a very simple password: Kxxxxxxx45#... to no avail.
I'm running out of ideas...any advice?

greetings, Dirk



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Emmanuel,

    Thanks for your answer.

    Yes, we use SSL VPN with Sophos Connect Client (but try the old client too)

    We try "Kennwort45#" as password.

    It works with Connect+IPSec, but not with Connect+SSL or the old OVPN(SSL).

    FW send the password to AD an AD answer with "Incorrect username or password"

    Is there a "deep authentication debug" like in SG?

    Greetings, Dirk


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Just as a workaround: did you try to change the # to a ! ? Maybe a bug with # at the end of the password, or place the # at another position.

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 MR 2

    If a post solves your question please use the 'Verify Answer' button.

  • all password issues should have been fixed with connect client 2.2

    in 2.1 there have been issues with passwords like this:

    #secure  (# at the beginning)
    pass#?word  (combination of #? in the middle)
    Secure password  (blank / space charactoer)
    pass\word  (backslash in the middle)

    # at the end should have worked.

  • Password issues should only occur in Sophos Connect not the OpenVPN client. So likely SFOS is blocking it. 

    Check authentication services settings, if you selected for SSLVPN the correct server. 

    __________________________________________________________________________________________________________________

  • Hi,

    I see the authentication attempt at the correct AD-server. This server denies the authentication because username/password error.

    Is there some kind of deep authentication debug like within SG?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • You can check the access_server.log first.

    If the information is not available, you can set the debug mode on, but i would suggest to do the investigation first without debug, as the debug mode will log a lot more information. 

    Debug mode: service access_server:debug -ds nosync 

    (same command to disable)

    __________________________________________________________________________________________________________________

  • Hello Dirk,

    Are you using MFA?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    we try it with 2FA disabled too.

    Which 2FA problems do we have to expect?
    I use 2FA within a lot of installations. But never using a provisioning file. 

    ... but the "old" openvpn client we use without provisioning ... and see the same problems. 


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Dirk,

    No issues with 2FA/MFA/OTP as far as I know.

    What does the access_server.log in debug mode show?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    I'll have to check with the customer next time I'm on site.

    Greetings, Dirk


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.