This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User user@mydomain.local failed to login to VPN through AD authentication mechanism because of access not allowed

Hello,

I dealing with this problem while trying to use external authentication via AD to manage ipsec user connections, i have created a group ou my AD for the users i want to permit access, on the fw on remote access i have give permission to this group after importing from AD.

I have other firewalls without any issue, but i can not understand what is wrong with this setup.

I would appreciate any help.

I got this message in the logs when trying to authenticate to IPEC VPN.

User user@mydomain.local failed to login to VPN through AD authentication mechanism because of access not allowed.

The AD connection tested ok, i could import the groups. i have a user that is included on the security group that i want to give vpn access.

this is the server_acesss.log portion.

SUCCESS Apr 20 18:10:42.472257Z [access_server]: (check_auth_result): user 'user@mydomain.local'(backend) Authenticated with server id '3'
ERROR Apr 20 18:10:42.479172Z [access_server]: handle_pam_authorization: VPN/SSLVPN/MYACC Authorization Failed, result_code=1

when on debug i can see on the logs that the groups for the user are correctly enumerated.

Local authentication works with any issue.

Kind Regards,

This thread was automatically locked due to age.

0 Célio Rodrigues over 1 year ago

Have tried login in in user portal, and the login is ok, but then on authentication i see that the user is on default group, and not in the allowed group that is on the AD server, i have made this group the main/principal group in AD replacing the "domain users".

CR
- 0 Vishal_R over 1 year ago in reply to Célio Rodrigues
  
  Hi Célio Rodrigues Thank you for reaching out to the Sophos community team. When a user signs in and none of the user's AD groups exist in the firewall, the firewall assigns the user to the default group
  
  Please check the below FAQ section to get details on how the priority of the AD user's group is getting defined on the XG side:
  
  Active Directory doesn't add its primary group information to the user or group attributes. So, the information isn't added to the firewall.
  
  docs.sophos.com/.../index.html
  
  Regards,
  
  Vishal Ranpariya
  Technical Account Manager | Global Customer Experience
  Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
  If a post solves your question, use the 'Verify Answer' link.
  - 0 Célio Rodrigues over 1 year ago in reply to Vishal_R
    
    Hello Vishal_R,
    
    On AD i have set the primary group to the group i want to allow access, even tried the user being on only this group.
    
    I will send you the access server log via PM.
    
    Kind regards,
    
    CR