Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 26 subscribers
  • Views 1858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Authentication Agent for macOS 10.15 not working

ecar13

Brand new XG deployment. Attempting to get the Sophos Client Authentication Agent (v2.1.0) to work on our Macs. We have 10 Macs running macOS 10.14.6 and higher.

On my Mac (running macOS 10.15.5 (Catalina) I logged into the XG User Portal, downloaded and installed the macOS Authenticator.

From the icon at the top right of the screen I select 'Set Credentials'. The dialog box that pops up looks whacked. The top of the logo is sliced off and appears at the bottom of the window. Others have mentioned this. You cannot read any of the text unless you switch off dark mode.

I enter my user name and password, check the Save Password box and click OK.

I assume at this point you're now supposed to click on the icon again and select Connect.  I do that, but nothing happens. No error, icon does not change. When I click on the icon the Connect option is still there (the 'Disconnect' option is greyed out). 

Tried rebooting the Mac. No joy. A little feedback from the app would be helpful.

At this time none of my Macs are able to browse the Internet.



This thread was automatically locked due to age.
Parents
  • 0

    Update:  

    So, a few more things need to be set up:

    - On XG firewall admin portal you need to go to Administration > Device Access and make sure 'Client Authentication' is enabled.  (On an related note: For my Windows clients I had switched from using STAS to using certificate-based Kerberos AD authentication, and at that time support told me I could uncheck 'Client Authentication' since it's not required if I was not using STAS. That may be correct except - if you plan on using the Client Authentication Agent on macOS you DO need to check this box). 

    - Going back to the Mac and testing the app ... it will NOW give you feedback. It will keep telling you that your login and password are incorrect even if you are 100% sure you are entering it correctly. Turns out this is because I have the One-Time Password feature enabled on my XG (Authentication > One-Time Password).  I want to keep this on as an added layer of security for all users who connect via the SSL VPN Client, and also for all users who want to access the User Portal.  Unfortunately the Client Authentication Agent for macOS (apparently) also wants a OTP. So I entered my user name (email address) and password + OTP and ... success.  The icon turns orange. The app says I am connected and web browsing now works.

    The problem is - any time the local Mac users reboot their Macs they have to re-authenticate using a new one-time password. The old Authenticator app on UTM did not work this way. Users should be able to enter their credentials (minus the OTP), save those settings and have the agent auto-authenticate them every time they start up their Mac.

    I worked with Sophos support to discover this. Hopefully they will acknowledge this is something that needs to be fixed.

    Currently in the admin portal > Authentication > One-Time Password > Settings ... here, the admin can select WHERE one-time password should be enabled; your choices are:

    - WebAdmin

    - User Portal

    - SSL VPN Remote Access

    - IPSec Remote Access

    I propose that they add another checkbox for 'Client Authentication Agent' or (better yet) fix the agent so it works like the UTM client.

Reply
  • 0

    Update:  

    So, a few more things need to be set up:

    - On XG firewall admin portal you need to go to Administration > Device Access and make sure 'Client Authentication' is enabled.  (On an related note: For my Windows clients I had switched from using STAS to using certificate-based Kerberos AD authentication, and at that time support told me I could uncheck 'Client Authentication' since it's not required if I was not using STAS. That may be correct except - if you plan on using the Client Authentication Agent on macOS you DO need to check this box). 

    - Going back to the Mac and testing the app ... it will NOW give you feedback. It will keep telling you that your login and password are incorrect even if you are 100% sure you are entering it correctly. Turns out this is because I have the One-Time Password feature enabled on my XG (Authentication > One-Time Password).  I want to keep this on as an added layer of security for all users who connect via the SSL VPN Client, and also for all users who want to access the User Portal.  Unfortunately the Client Authentication Agent for macOS (apparently) also wants a OTP. So I entered my user name (email address) and password + OTP and ... success.  The icon turns orange. The app says I am connected and web browsing now works.

    The problem is - any time the local Mac users reboot their Macs they have to re-authenticate using a new one-time password. The old Authenticator app on UTM did not work this way. Users should be able to enter their credentials (minus the OTP), save those settings and have the agent auto-authenticate them every time they start up their Mac.

    I worked with Sophos support to discover this. Hopefully they will acknowledge this is something that needs to be fixed.

    Currently in the admin portal > Authentication > One-Time Password > Settings ... here, the admin can select WHERE one-time password should be enabled; your choices are:

    - WebAdmin

    - User Portal

    - SSL VPN Remote Access

    - IPSec Remote Access

    I propose that they add another checkbox for 'Client Authentication Agent' or (better yet) fix the agent so it works like the UTM client.

Children
No Data