Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 27188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to diagnose Client Authentication login failures ?

Slawski

I have created a few local user and one of them is getting Firewall Authentication FAILED although he can log into User Portal. Any clues ? How to check why Authentication Client does not work.



Edited Tags
[edited by: Erick Jan at 11:08 PM (GMT -7) on 15 Sep 2022]
  • 0
    Are you able to authenticate the same user with Captive portal (ip:8090)
  • 0

    Hi Slawek!

    From the details your post, I'm assuming that you're asking about why the authentication method might be failing, rather than the authentication interface of Sophos XG Firewall itself.

    The most common reason why this authentication might not work is that the user isn't in the proper group (which effects what policies apply to them). Please check to see if the user is placed with a group that is allowed to access or even log in. The steps to do so are found in this Knowledgebase Article (KBA): https://community.sophos.com/kb/en-US/123050

    If this isn't the issue, the reason why a user might be getting Firewall Authentication Failure will be different based on the Authentication Method Used. There is a list of Authentication methods used by normal users in the KBA Article I mentioned above. Here's a list of the common authentication methods used by Normal Users:

    • General Authentication Clients (GAC) – For all Windows, Macintosh, Linux.
    • Clientless and Client-based Single Sign On (SSO) - for AD users
    • Sophos Authentication for Thin Client (SATC) - for Citrix XenApp and Microsoft Windows Server 2003, 2008 & 2012 Remote Desktop Services (formerly, Terminal Services)
    • NT LAN Manager (NTLM) – for Windows users
    • Captive Portal

    There are also KBA's available that can help you. These KBA's are attached to the methods above, which can be found through the search function at the top of the Community Website. This can be done by clicking the search box, clicking the "anywhere" bubble, and then typing in any of the methods above and it will show results with the appropriate article(s).

    Feel free to post in this thread again if you require further guidance or help!

  • 0 in reply to DJ Kim
    Well, it was something unexpected for me. I have defined Clientless User for IP I was trying to log from. After I deleted Clientless User definition - Authentication Agent logged me in.

    I thought that any form of user authentication will have a priority over Clientless User but it appears that I was wrong. Once I define a clientless user for a specific IP - I can use Authentication Agent on that device.

    I haven't checked if I can use Captive Portal.

    Still - message in the log is a little bit misleading or maybe the information is not enough for investigation.

    Regards,
    Slawek

Unfiltered HTML