This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS User Authentication

Hi,

I installed STAS in member server (Windows Server 2012 R2) not in the AD. It was working already and its getting the list of user from the AD but last 2 days suddenly the live user list in the SOPHOS XG show 3 or 4 only unlike before. It happens like this after i restart my SOPHOS XG. Even i tried to login to user portal using my AD username is not working anymore.

Please see attach screen shot.

Thanks,

nidzms

This thread was automatically locked due to age.

Parents

0 FormerMember over 4 years ago

Hi nidz,

Thank you for reaching out to the Community!

Please reattach the screenshots, and provide the access_server logs in debugging.

Have you followed any document or KBA to setup STAS?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 nidz over 4 years ago in reply to FormerMember

Hi H_Patel,

I followed this guide https://support.sophos.com/support/s/article/KB-000038628?language=en_US it was working before.

Please see also attach access_log hope this is the one you are asking.

XG330_WP02_SFOS 18.0.4 MR-4# tail -f /log/access_server.log
MESSAGE   Mar 03 09:59:55.780221 [access_server]: (update_admin_access_table): # Admin user authentication fail from IP 141.98.80.98
MESSAGE   Mar 03 10:00:03.994935 [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
MESSAGE   Mar 03 10:00:03.994952 [access_server]: check_timeout_cta_collector: found timeout collector
MESSAGE   Mar 03 10:00:08.196432 [access_server]: (update_admin_access_table): # Admin user authentication fail from IP 188.36.42.67
MESSAGE   Mar 03 10:00:20.524315 [CAA]: (CA_keep_alive): access_server heartbeat
MESSAGE   Mar 03 10:00:20.524338 [CAA]: (CA_keep_alive): Sending PING to nsali on connection 0xf6806410
MESSAGE   Mar 03 10:00:20.524395 [CAA]: (CA_keep_alive): Processed 1 CA connections: w=1 m=0 l=0 i=0 a=0
MESSAGE   Mar 03 10:00:20.524400 [CAA]: (CA_keep_alive): Next CA batch in 45 seconds
MESSAGE   Mar 03 10:00:20.526137 [CAA]: (process_command): PONG 87 from ######## on connection 0xf6806410
MESSAGE   Mar 03 10:00:33.426022 [access_server]: (update_admin_access_table): # Admin user authentication fail from IP 103.84.130.194
MESSAGE   Mar 03 10:01:05.001313 [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
MESSAGE   Mar 03 10:01:05.001331 [access_server]: check_timeout_cta_collector: found timeout collector
MESSAGE   Mar 03 10:01:05.569738 [CAA]: (CA_keep_alive): access_server heartbeat
MESSAGE   Mar 03 10:01:05.569759 [CAA]: (CA_keep_alive): Sending PING to nsali on connection 0xf6806410
MESSAGE   Mar 03 10:01:05.569814 [CAA]: (CA_keep_alive): Processed 1 CA connections: w=1 m=0 l=0 i=0 a=0
MESSAGE   Mar 03 10:01:05.569819 [CAA]: (CA_keep_alive): Next CA batch in 45 seconds
MESSAGE   Mar 03 10:01:05.574650 [CAA]: (process_command): PONG 88 from ######## on connection 0xf6806410
ERROR     Mar 03 10:01:10.615853 [ADS_AUTH]: adsauth_bind: bind failed: Strong(er) authentication required
ERROR     Mar 03 10:01:10.615882 [ADS_AUTH]: adsauth_authenticate_user: '192.168.14.105:389': bind failed for User: '########\######'
ERROR     Mar 03 10:01:10.615886 [ADS_AUTH]: adsauth_authenticate_user: ADS Authentication Failed for User:'zdaragmeh'
ERROR     Mar 03 10:01:10.615917 [access_server]: check_auth_result: Authentication Failed
ERROR     Mar 03 10:01:10.618534 [ADS_AUTH]: adsauth_bind: bind failed: Strong(er) authentication required
ERROR     Mar 03 10:01:10.618544 [ADS_AUTH]: adsauth_authenticate_user: '192.168.14.105:389': bind failed for User: '########\######'
ERROR     Mar 03 10:01:10.618548 [ADS_AUTH]: adsauth_authenticate_user: ADS Authentication Failed for User:'########'
ERROR     Mar 03 10:01:10.618602 [access_server]: check_auth_result: Authentication Failed
MESSAGE   Mar 03 10:01:14.846612 [access_server]: (update_admin_access_table): # Admin user authentication fail from IP 70.28.48.102
ERROR     Mar 03 10:01:18.243843 [ADS_AUTH]: adsauth_bind: bind failed: Strong(er) authentication required
ERROR     Mar 03 10:01:18.243859 [ADS_AUTH]: adsauth_authenticate_user: '192.168.14.105:389': bind failed for User: '########\######'
ERROR     Mar 03 10:01:18.243863 [ADS_AUTH]: adsauth_authenticate_user: ADS Authentication Failed for User:'#######'
ERROR     Mar 03 10:01:18.243910 [access_server]: check_auth_result: Authentication Failed
MESSAGE   Mar 03 10:01:22.189040 [access_server]: (update_admin_access_table): # Admin user authentication fail from IP 122.163.127.180
MESSAGE   Mar 03 10:01:22.338831 [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP 122.163.127.180
MESSAGE   Mar 03 10:01:24.077360 [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP 122.163.127.180
MESSAGE   Mar 03 10:01:24.879447 [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP 122.163.127.180
MESSAGE   Mar 03 10:01:29.919480 [access_server]: (update_admin_access_table): attempt_allowed: '5', attempts_duration: '60', block_for_minutes: '5'
MESSAGE   Mar 03 10:01:29.919759 [access_server]: (update_admin_access_table): Bruteforce Attack from IP 122.163.127.180 detected, counter 5
ERROR     Mar 03 10:01:37.609794 [ADS_AUTH]: adsauth_bind: bind failed: Strong(er) authentication required
ERROR     Mar 03 10:01:37.609812 [ADS_AUTH]: adsauth_authenticate_user: '192.168.14.105:389': bind failed for User: '########\######'
ERROR     Mar 03 10:01:37.609816 [ADS_AUTH]: adsauth_authenticate_user: ADS Authentication Failed for User:'sharaf'
ERROR     Mar 03 10:01:37.609862 [access_server]: check_auth_result: Authentication Failed
MESSAGE   Mar 03 10:01:47.479135 [access_server]: (update_admin_access_table): # Admin user authentication fail from IP 189.6.45.130
MESSAGE   Mar 03 10:01:50.617809 [CAA]: (CA_keep_alive): access_server heartbeat
MESSAGE   Mar 03 10:01:50.617828 [CAA]: (CA_keep_alive): Sending PING to nsali on connection 0xf6806410
MESSAGE   Mar 03 10:01:50.617880 [CAA]: (CA_keep_alive): Processed 1 CA connections: w=1 m=0 l=0 i=0 a=0
MESSAGE   Mar 03 10:01:50.617885 [CAA]: (CA_keep_alive): Next CA batch in 45 seconds
MESSAGE   Mar 03 10:01:50.623179 [CAA]: (process_command): PONG 89 from nsali on connection 0xf6806410

Thanks,

nidzms
Cancel
Vote Up 0 Vote Down

Cancel
0 John Forma over 4 years ago in reply to nidz

Did you ge tthis fixed?I had it working and then all of a sudden it stopped working altogether. I followed all of the setup instructions and I have the users in the live users in the STAS suite collector. No matter what I do it seems like the firewall is not referencing the Live users. I have no evidence of users in the firewall logs (firewall and authentication) any more. I have uninstalled and reinstalled and it is not making a difference. Is there a reset the database in the firewall? I have removed all objects from the firewall and disabled STAS, removed users, recreated firewall rules. All of the tests from the STAS application are passing.

The firewall is an XG 105 SFOS17.5.14 MR-14-1
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 John Forma over 4 years ago in reply to nidz

Did you ge tthis fixed?I had it working and then all of a sudden it stopped working altogether. I followed all of the setup instructions and I have the users in the live users in the STAS suite collector. No matter what I do it seems like the firewall is not referencing the Live users. I have no evidence of users in the firewall logs (firewall and authentication) any more. I have uninstalled and reinstalled and it is not making a difference. Is there a reset the database in the firewall? I have removed all objects from the firewall and disabled STAS, removed users, recreated firewall rules. All of the tests from the STAS application are passing.

The firewall is an XG 105 SFOS17.5.14 MR-14-1
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data