Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 40 subscribers
  • Views 227 views
  • Users 0 members are here
Options
Suggested

20.0.0 GA to 20.0.2 MR2 378 - Sophos Connect - SSL VPN - AD Groups not added on authentication

Fred_B

After the XG 210 upgrade to SFOS 20.0.2 MR2 build 378 we now have the issue that firewall rules for AD Group VPN Users no longer work for some SSL VPN users belonging to the AD VPN Users group. We know that IPSEC doesn’t work with AD groups but SSL VPN used to work with AD Group membership rules up to this update. We do not use Remote Access VPN - IPSEC. 

Users now receive the Open Group as primary and no added other groups. We have AD groups VPN Administrators, VPN Power Users, VPN Users descending order. Somehow not all users are affected. The VPN User Group in XG has some members shown on the XG that are not affected (also shown when not logged in or not not logged in for quite some time) all others not shown don’t have the additional groups added on login with Sophos Connect and are affected.

I cannot add the users to the VPN Users group on the XG as the membership doesn’t last. 

is this a known bug? Now having to administer locally for SSL VPN?

TIA,

Fred



Added TAGs
[edited by: Raphael Alganes at 8:40 AM (GMT -8) on 23 Dec 2024]
Parents
  • 0

    This sounds like an AD issue to me. 
    You could try to authenticate one user, check the access_server.log on the CLI and doublecheck what groups are delivered by AD. 

    Also double check the AD Server config, if you have multiple AD Servers, maybe one of those servers is not delivering the correct information anymore. 

    Are you using Radius or anything else? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    This worked perfectly upto the update. Domain Users don't exist locally on the XG. The AD authentication is working as they can connect and I see their succesfull logon in XG Log tru AD Authentication. Just the list ain't populated anymore for some users. There are no errors in the security log of the AD DC. 

    I checked as per your advise the console access-server.log and found these errors with an affected user, replaced the user name to domainuser and the local Sophos IP VPN lease to VPN Subnet IP adress:

    SUCCESS Dec 27 09:37:30.281957Z [access_server]: (check_auth_result): user 'domainsuser@domain.local'(backend) Authenticated with server id '4'
    MESSAGE Dec 27 09:37:30.283662Z [OTP_AUTH]: (otp_code_correct): Will verify co
    de 927530 for user domainsuser@domain.local
    MESSAGE Dec 27 09:37:30.488973Z [OTP_AUTH]: (otp_handle_short_password_success
    _request): ACCEPT1 for user domainsuser@domain.local domainsuer
    SUCCESS Dec 27 09:37:30.489000Z [access_server]: (check_auth_result): user 'domainsuser@domain.local'(backend) Authenticated with server id '4'
    ERROR Dec 27 09:37:30.489372Z [access_server]: pg_db_handle_check_crt_finger
    print: row count: 1 value 1
    /_conf/csc/auth_utility update_usergrouprel "{ \"userid\": 38, \"groupid_list\"
    : [ 10,7,12,14 ] }"
    buffer : status 0
    ERROR Dec 27 09:37:30.514611Z [access_server]: (config_resolve_datatransferi
    d): Datatransfer Policy 0 not found
    MESSAGE Dec 27 09:37:30.725220Z [access_server]: ippool_submit_request: IP lea
    se request
    ERROR Dec 27 09:37:30.725252Z [IP_POOL]: ippool_handle_leaseip_request: leas
    e request for unsupported client
    ERROR Dec 27 09:37:30.725259Z [IP_POOL]: ippool_handle_leaseip_request: Unab
    le to lease IP address to user domainsuser@domain.local
    ERROR Dec 27 09:37:30.725642Z [POSTGRES_DB]: pg_db_handle_sslvpn_max_allowed
    : row count: 0
    /_conf/csc/auth_utility login_user "{ \"groupid\": [\"10\",\"7\",\"12\",\"14\"],
    \"userid\":\"domainsuser@domain.local\",\"liveuserid\":\"869\",\"ipaddress\":\"VPN Subnet IP adress\",\"bwpolicyid\":\"\",\"webfilterid\":\"Allow All\",\"appfilterid\":\"Al
    low All\",\"starttime\":\"32460968\",\"clienttype\":\"13\",\"setname\":\"lusers\
    ",\"addr_family\":\"2\",\"ismicroapp\":\"1\",\"authservername\":\"\",\"macaddres
    s\":\"\",\"logintime\":\"2024-12-27 10:37:31\" }"
    buffer : status 0

    One of the affected users is Using Sophos Connect service version 2.3.2.0927 with StrongSwan 5.9.5 wih VPN sertvice 2.6.10.0. A not affected user is using the same version. So it ain't the client version.

    Should I raise this with Sophos?

    Fred

Reply
  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    This worked perfectly upto the update. Domain Users don't exist locally on the XG. The AD authentication is working as they can connect and I see their succesfull logon in XG Log tru AD Authentication. Just the list ain't populated anymore for some users. There are no errors in the security log of the AD DC. 

    I checked as per your advise the console access-server.log and found these errors with an affected user, replaced the user name to domainuser and the local Sophos IP VPN lease to VPN Subnet IP adress:

    SUCCESS Dec 27 09:37:30.281957Z [access_server]: (check_auth_result): user 'domainsuser@domain.local'(backend) Authenticated with server id '4'
    MESSAGE Dec 27 09:37:30.283662Z [OTP_AUTH]: (otp_code_correct): Will verify co
    de 927530 for user domainsuser@domain.local
    MESSAGE Dec 27 09:37:30.488973Z [OTP_AUTH]: (otp_handle_short_password_success
    _request): ACCEPT1 for user domainsuser@domain.local domainsuer
    SUCCESS Dec 27 09:37:30.489000Z [access_server]: (check_auth_result): user 'domainsuser@domain.local'(backend) Authenticated with server id '4'
    ERROR Dec 27 09:37:30.489372Z [access_server]: pg_db_handle_check_crt_finger
    print: row count: 1 value 1
    /_conf/csc/auth_utility update_usergrouprel "{ \"userid\": 38, \"groupid_list\"
    : [ 10,7,12,14 ] }"
    buffer : status 0
    ERROR Dec 27 09:37:30.514611Z [access_server]: (config_resolve_datatransferi
    d): Datatransfer Policy 0 not found
    MESSAGE Dec 27 09:37:30.725220Z [access_server]: ippool_submit_request: IP lea
    se request
    ERROR Dec 27 09:37:30.725252Z [IP_POOL]: ippool_handle_leaseip_request: leas
    e request for unsupported client
    ERROR Dec 27 09:37:30.725259Z [IP_POOL]: ippool_handle_leaseip_request: Unab
    le to lease IP address to user domainsuser@domain.local
    ERROR Dec 27 09:37:30.725642Z [POSTGRES_DB]: pg_db_handle_sslvpn_max_allowed
    : row count: 0
    /_conf/csc/auth_utility login_user "{ \"groupid\": [\"10\",\"7\",\"12\",\"14\"],
    \"userid\":\"domainsuser@domain.local\",\"liveuserid\":\"869\",\"ipaddress\":\"VPN Subnet IP adress\",\"bwpolicyid\":\"\",\"webfilterid\":\"Allow All\",\"appfilterid\":\"Al
    low All\",\"starttime\":\"32460968\",\"clienttype\":\"13\",\"setname\":\"lusers\
    ",\"addr_family\":\"2\",\"ismicroapp\":\"1\",\"authservername\":\"\",\"macaddres
    s\":\"\",\"logintime\":\"2024-12-27 10:37:31\" }"
    buffer : status 0

    One of the affected users is Using Sophos Connect service version 2.3.2.0927 with StrongSwan 5.9.5 wih VPN sertvice 2.6.10.0. A not affected user is using the same version. So it ain't the client version.

    Should I raise this with Sophos?

    Fred

Children
No Data
Unfiltered HTML