How to diagnose Client Authentication login failures ?

Hi Slawek!

From the details your post, I'm assuming that you're asking about why the authentication method might be failing, rather than the authentication interface of Sophos XG Firewall itself.

The most common reason why this authentication might not work is that the user isn't in the proper group (which effects what policies apply to them). Please check to see if the user is placed with a group that is allowed to access or even log in. The steps to do so are found in this Knowledgebase Article (KBA): https://community.sophos.com/kb/en-US/123050

If this isn't the issue, the reason why a user might be getting Firewall Authentication Failure will be different based on the Authentication Method Used. There is a list of Authentication methods used by normal users in the KBA Article I mentioned above. Here's a list of the common authentication methods used by Normal Users:

• Clientless and Client-based Single Sign On (SSO) - for AD users

• Sophos Authentication for Thin Client (SATC) - for Citrix XenApp and Microsoft Windows Server 2003, 2008 & 2012 Remote Desktop Services (formerly, Terminal Services)

• NT LAN Manager (NTLM) – for Windows users

• Captive Portal

There are also KBA's available that can help you. These KBA's are attached to the methods above, which can be found through the search function at the top of the Community Website. This can be done by clicking the search box, clicking the "anywhere" bubble, and then typing in any of the methods above and it will show results with the appropriate article(s).

Feel free to post in this thread again if you require further guidance or help!

Hi Slawek!

From the details your post, I'm assuming that you're asking about why the authentication method might be failing, rather than the authentication interface of Sophos XG Firewall itself.

The most common reason why this authentication might not work is that the user isn't in the proper group (which effects what policies apply to them). Please check to see if the user is placed with a group that is allowed to access or even log in. The steps to do so are found in this Knowledgebase Article (KBA): https://community.sophos.com/kb/en-US/123050

If this isn't the issue, the reason why a user might be getting Firewall Authentication Failure will be different based on the Authentication Method Used. There is a list of Authentication methods used by normal users in the KBA Article I mentioned above. Here's a list of the common authentication methods used by Normal Users:

• Clientless and Client-based Single Sign On (SSO) - for AD users

• Sophos Authentication for Thin Client (SATC) - for Citrix XenApp and Microsoft Windows Server 2003, 2008 & 2012 Remote Desktop Services (formerly, Terminal Services)

• NT LAN Manager (NTLM) – for Windows users

• Captive Portal

There are also KBA's available that can help you. These KBA's are attached to the methods above, which can be found through the search function at the top of the Community Website. This can be done by clicking the search box, clicking the "anywhere" bubble, and then typing in any of the methods above and it will show results with the appropriate article(s).

Feel free to post in this thread again if you require further guidance or help!

Well, it was something unexpected for me. I have defined Clientless User for IP I was trying to log from. After I deleted Clientless User definition - Authentication Agent logged me in.

I thought that any form of user authentication will have a priority over Clientless User but it appears that I was wrong. Once I define a clientless user for a specific IP - I can use Authentication Agent on that device.

I haven't checked if I can use Captive Portal.

Still - message in the log is a little bit misleading or maybe the information is not enough for investigation.