Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO Client Issues

Hi Guys. I've been experiencing issues with STAS, mainly to do with multi-homed clients (laptops plugged in via LAN and also on wireless).

Anyway, to try and get around this issue I've been attempting to get the SSO Agent working on these devices instead.

I've configured the client as per the guide here. However i do not see any authentication information from that client on the XG Box. After some digging, i discovered the log file for the SSO Agent (it lives in %appdata%/Sophos btw).  The first part of the log looks good, i can see it query the DC and get all the domain info etc etc, but after that i get the following:

Sending request size = 230
No Response From Server

This repeats over and over.

I've double/tripple/quadruple checked the config, tried changing from FQDN to Netbios domain name, disabled local firewall but nothing seems to change what i see in the log.

I've currently got tech support looking at this, however I've got a client breathing down my neck so thought I'd reach out to the community to see if anyone has any ideas or other avenues I can look down in regards to troubleshooting?

I can provide more logs if necessary.

Many Thanks

Josh



Edited Tags
[edited by: Erick Jan at 11:38 PM (GMT -7) on 15 Sep 2022]
Parents
  • Hi Josh,

    Correct me if I am wrong but you seem to be indicating you are trying to install the STAS (SSO Client) on all PC's, this is not how the SSO works you only install it on the AD Servers them selves.

    If you are trying to install an authentication client on the individual PC's you should be using is the "Authentication Client" which can be downloaded from the User Portal on the appliance.

    https://community.sophos.com/kb/en-US/123015

    The client is available for Windows, Mac OSX, Linux, iOS and Android.

    Another option which might assist is implementing the WiFi with WPA2/Enterprise, this would allow you to use the RADIUS SSO to capture authentication events from the WiFi environment.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • Hi Leon

    I think things have become confused here.

    There are two types of SSO which i believe historically have come from the Cyberoam side

    1. Clientless SSO or CTA, which uses the STAS software on the server and does not require any software on the client PC's. STAS watches the security log on the server and when it sees a logon event, it ties the username to the workstations IP address and sends this to the XG.
    2. Client-based SSO which uses an agent that runs on the Client PCs. You set it up in a login script and it runs at logon to authenticate the client. As per this guide.

    I am having issues with SSO (1 above). Because some of the client PC's have both WLAN and LAN connected,  the username/ip address matching only works on the interface over which the initial logon happened. If the client device then decides to use the other connection, the XG has no IP Address to username mapping for that IP.

    Anyway to get around this, I thought the Client based SSO (2 above) might be worth a shot, however this is where I am having the issue mentioned in the original post.

  • Hi Leon

    OK thats interesting, however I dont think thats too useful for me at this point.

    I have found a way to run a task based on a network change. This is good. However, this brings me on to my next issue, what should i actually get this task to do? I am assuming I would want it to run the authentication client (local client) again?

    The other issue is that I still haven't made the local agent work yet, (see my original post).

    Thanks.

  • We have SSO local clients working properly. The IP of the UTM/XG has to be the default gateway in the PC or you must add a route in the PC (or intermediate L3 switch) for the IP 1.2.3.4 pointing to the UTM/XG. The client uses the fake destination IP 1.2.3.4 to talk to the UTM/XG. I hope this helps.

  • Hi Jose

    It was my understanding that the 1.2.3.4 IP only related to the Astaro based authentication client, not the Cyberoam one?

  • Hi Josh,


    Not sure about it but I know the SSO client as well as the Wifi AP, both use that IP 1.2.3.4 to talk to the UTM/XG. Is the XG the default GW for each PC? If not, just add a route to 1.2.3.4/32 pointing to the XG Lan IP address.

  • Hi Jose

    There are two clients you can use for the SSO, one is the one based on the Astaro System, the other is the one based on the Cyberoam system:

    I am trying to use the Cyberoam one, the Cyberoam one allows you to specify the Address of your Firewall using a config file rather than messing around with silly fake IP addresses (what company with more than 50 workstations doesnt use a layer 3 network??)

    The Cyberoam one also (according to what I can work out needs no intervention from the end user to Authenticate, it runs at login automatically. Correct me if I am wrong but the Astaro based client does run at logon, but pops up a login box? If that is still the case its useless for me.

    I will use whatever client best suits my need as long as I can make it work!

    Many Thanks

    Josh

  • We have used Lightspeed system webfilter fairly regularly (maybe i should have used on for this install??) and they seem do the agent thing in a much more sensible way, here's the description.

    You customise the installer MSI with the details of your web filter (using their own simple to use tool) and then just do a simple group policy install and thats it, you never see it again, it just runs in the background. It doesnt care how many IP interfaces the client has got, if the client is logged into more than one machine,it just works.

    Regards

    Josh

  • Hi Josh,

    Just to clarify, the XG Firewall does not limit the number of IP Addresses a user is associated to and even supports session based users identification in Terminal Server environments using the SATC client.

    Your chosen authentication methods here are based on login events against active directory, if users move from one network or ip address to another without generating a login event then the change is not tracked. The STAS does support identity checking for unknown ip addresses using WMI which does require AD permissions and appropriate firewall rules through out the network. Otherwise you will get DCOM errors as the Collector is unable to check the user ID for PCs. (Which is what you are seeing)

    In most networks I get involved with the STAS with the WMI polling is very reliable for corporate machines, the idea is that you do not actually need to install or run something on the client.

    As mentioned earlier in the chain there is another authentication mechanism in the form of a General Authentication agent, this behaves a lot more like what you describe in that is caches user credentials and update the UTM when it connects to it, this does not actually require an ad login event, the username and password combination though can be processed against the active directory.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • Leon Friend said:

    ...As mentioned earlier in the chain there is another authentication mechanism in the form of a General Authentication agent, this behaves a lot more like what you describe in that is caches user credentials and update the UTM when it connects to it, this does not actually require an ad login event, the username and password combination though can be processed against the active directory.

    Yes and this is now what I am trying to make work, and I will only need it for a subset of my users as STAS has been working for the rest.
    So the question is, how to I make AGENT/CLIENT based authentication work?
    Regards
    Josh
  • Hi Josh,

    The Astaro client pops up a login box the first time you log on and you have an option to hide the login box until next password change. It supports multiple IP addresses (IPV4 and IPV6) per client.

  • Hi Jose

    So will this box pop up each time a user logs into a computer and do they have to input their credentials each time?

Reply Children