Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 8141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos (XG) Client Authentifikation Agent

Ben@Network

Hallo all,

I am currently looking for a lean solution to build a rule per firewall that only applies to authenticated users. I have connected the firewall to the AD and installed the "Client Authentification Agent" on the (Windows) client. The user authenticates himself against the AD via the firewall and the rule with "Match known users" takes effect. So far everything is fine.

The small hook comes now. The whole thing must run on 40 firewalls. For the whole thing to work with multiple firewalls, I would have to import the "ClientAuthentication_CA" certificate from each firewall into the client. Then I would have 40 Sophos CA certificates on each client, which I would consider very unattractive.

I have used the CLI (/conf/certificate/internalcas/ClientAuthentication_CA.*) on a test box to replace the certificates with the certificates from another box. When I then try to download the certificate in webadmin, I get the new certificate. However, the authentication itself still has the old certificate. So unfortunately, it is not so simple...

Is there a way to export the "ClientAuthentication_CA" certificate of one firewall and import it into the other firewalls?

BR,

Ben



This thread was automatically locked due to age.
  • 0

    Hi   Post replacing cert underCLI (/conf/certificate/internalcas/ClientAuthentication_CA.*) on a test box, have you tried restarting the authentication service once? I believe that should fix the issue..!

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi,

    unfortunately not, I restarted the "redis-auth" service and as well the whole firewall. The Authentication Agent on firewall expects the old certificate. Do do have another hint?

    Thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hi Vishal,

    if I also copy the files /conf/certificate/internalcerts/ClientAuthentication_cert.* to my test firewall the client authentication client will work (after a reboot of firewall). Witch process have I to restart (authentication service)?

    But the ClientAuthentication_cert will expire at the end of 2024. To check if the renew process with the cloned CA will work, I tried to generate a new certificate with this script: /scripts/certificate/generateCert.sh

    If I start the script with this parameters:

    /scripts/certificate/generateCert.sh ClientAuthentication_cert ClientAuthentication_CA UK NA NA NA NA "Sophos Client Authentication CA" "/conf/certificate/internalcas/" 2048

    I receive this error message:

    Using configuration from /static/system/certificate/openssl.cnf
    ERROR:name does not match /C=UK/ST=NA/L=NA/O=NA/OU=NA/CN=Client Authentication Cert
    Ignoring -days; not generating a certificate
    Error Loading request extension section v3_req
    4154185472:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:crypto/x509v3/v3_alt.c:533:
    4154185472:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=2048

    Can you please advise me how to renew the certificate?

    Thanks,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hi  For your query on restart (authentication service) can be done from UI Configure > System Services > Services > Authentication > Restart 

    OR From shell via the below command:

    #service access_server:debug -ds nosync

    Regarding 2nd query for renewing the certificate (ClientAuthentication_CA), I may need to do some tests and research on my LAB device and will confirm if there are any possibilities on the same..!

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hello Vishal,

    thanks for your reply. Do you found a solution to create certificates with the cloned CA?   

    Cheers,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    Hi   Unfortunately not...I have tried to renew it to extend it with a certain number of days it did not work for me.. by giving  a -days of argument (by searching syntax in some blogs) and it was not successful.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML