Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 3352 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Authentification Agent - Could not validate certificate - CAA will now close

Julian Cast

Hello,

we use somes firewall rules with "Match known users" but sometimes the STAS not identifying user (for unknown reason.. ) and in this case we would to use the client authentification agent but i have 2 problems:

-On some computesr, when i click on Connect, i have the error Could not validate certificate - CAA will now close

-On others computers without the error, it seems never be connected, i clicked on Connect but the Disconnected stay greyed out.

Any ideas? 

Other question : During my formation, the teacher tell me tha the Endpoint can be use to make the authentification (with heartbeat i think ) but i don't know how activate that. Do you know?

Thank you !



EditedTAGs
[edited by: emmosophos at 11:52 PM (GMT -7) on 15 Sep 2022]
Parents
  • 0

    Hello Julian,

    Thank you for contacting the Sophos Community.

    To enable Heartbeat Authentication with the XG, you need to have an AD Server configured in your network and in the XG.

    Once you configure AD server in the XG, you need to add the AD group that contains the users you want to authenticate using Heartbeat into the XG, and select the AD server as the default for Firewall Authentication Methods.

    Take a look at this KB and this KB on AD integration.

    Regards,

  • 0 in reply to emmosophos

    Helo  ,

    we already have an AD authentication activated. Actually we have the STAS activated but not working continuously with VPN connection.  Maybe the STAS disable the heartbeat authentication ?

    Maybe you can help me but for unknown reason sometime sophos doesn't recognize my user when i'm over vpn, sometimes yes.. If i'm checking on the AD (we have 4 AD servers) i can see my user sometimes and sometimes not, it'seems related to that.

    We have 2 AD server on 2 differents site, i configured one collector AD on each site and the second is agent. Maybe when it's not working i'm connected to the Agent AD and it doesn't return the information to the collector?

    Is it normal that the show live user on the agent is greyed out? I cannot check where i'm detected. 

    Thank you

  • 0 in reply to Julian Cast

    Hello Julian,

    Thank you for the follow-up!

    Yes isn't recommended to have STAS and Heartbeat working together, so in case you have computers that are not using the Heartbeat, then I would recommend you to segment your network, so no computer has 2 authentication methods.

    Regards,

Reply
  • 0 in reply to Julian Cast

    Hello Julian,

    Thank you for the follow-up!

    Yes isn't recommended to have STAS and Heartbeat working together, so in case you have computers that are not using the Heartbeat, then I would recommend you to segment your network, so no computer has 2 authentication methods.

    Regards,

Children
  • 0 in reply to emmosophos

    Hello,

    i don't understand because we don't use the heartbeat for authentication. Actually all computers have Enpoint installed, heartbeat is installed automatically on each computer. We don't use it specifically for authentication. 

    But, can you tell me why client authentication agent disconnect every 5 minutes? 

    Thank you !