Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1484 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG210 MR4 OTP Token with AD authentication - error 17705 and 17711

Stephan Bückert

Dear community,

i got some problems with Sophos XG210 MR4. I created a new AD user for testing, activated OTP and assigned the testuser to it. I got a new hardware token i integratet and assigned to the testuser.

Now i done some testing, testuser can authenticate in userportal and SSL VPN with OTP options off. With activated OTP options for userportal and SSL VPN, there is some authentication error = log shows error code 17705 or 17711.

Livelog:

"User tb*** failed to login to MyAccount through Local,AD authentication mechanism because of wrong credentials" = 17705 in userportal

"User tb*** failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials" = 17711 via VPN SSL

I already installed ca authority on my domaincontroller and set ad port to 636...

Any ideas if i can test any different?

Thanks in advance Slight smile



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Stephan Bückert,

    Thank you for reaching out to Sophos Community.

    Could you please check the time offset between XG and the end device(where Sophos Authenticator is installed)?

    Try to sync the time offset by clicking the Synchronize button ( ) and type the passcode.

  • 0 in reply to FormerMember

    On first try to initialise the OTP token i was able to synchronise the token, this was on tuesday. But after many failed attempts to log in i deleted the otp token and started my configuration from the ground. Tried to synchronize again = failed to synchronize. And repeated this step about 2-3 times, deleted and  configured new...

  • FormerMember
    0 FormerMember in reply to Stephan Bückert

    Could you please confirm the time on XG firewall?

    You can check access_server debug events to get more information about authentication fail.

    Run the below command to put access_server service in debugging.

    ==> Login to SSH > 5. Device Management > 3. Advanced Shell.

    SFOS 18.0.4 MR-4# service access_server:debug -ds nosync

    SFOS 18.0.4 MR-4# tail -f /log/access_server.log

    ==> Try to login to the user portal or SSL VPN client with OTP, and share log output here or in PM.

    ==> To stop debugging please run the below command.

    SFOS 18.0.4 MR-4# service access_server:debug -ds nosync

  • 0

    Problem solved.

    SHA256 Tokens are not compatible with SophosXG => Use SHA1 Tokens instead.