Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 2595 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN client unable to authenticate with OTP

Service TAG

We have Sophos XG125 firewall with the current firmware SFOS 18.0.5 MR-5-Build586.

Users have been imported from on-prem AD and are currently using L2TP VPN to connect remotely. The goal is to switch them to more secure SSL VPN with OTP (one-time password, aka MFA).

We are using Sophos Connect SSL VPN client current version:

Problem is, I can configure OTP/MFA for a local (non-AD synced) firewall account with Microsoft Authenticator app, and use it to connect via SSL VPN without any issues.  But I cannot do the same with AD-synced accounts.  I am able to go as far as the OTP setup, and can sign in to the firewall's User Portal WebUI with the OTP code.  But I cannot connect with the SSL VPN client...  getting authentication failures like this:

messageid="17711" log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Failed" user="NAME REDACTED" user_group="" client_used="N/A" auth_mechanism="Local,AD" reason="wrong credentials" src_ip="IP ADDRESS REDACTED" message="User NAME REDACTED failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials" name="" src_mac=""

Any suggestions would be helpful!



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hey, Thanks for reaching out to Sophos Community

    Can you check whether the AD server is selected for the SSL VPN authentication?

    • Navigate to Authentication > Services > 'SSL VPN authentication methods' and ensure that the on-prem AD server is selected. 

    Also, confirm that in the log viewer authentication events, Do you see the username with the @domianname or just the username? (of the failed auth event)

  • 0 in reply to FormerMember

    Hello Devesh, thank you for the reply.

    - On-prem AD server is indeed selected in SSL VPN auth methods as a secondary source (Local is primary)

    - Failed authentication log entry looks like this:

    2021-08-17 22:25:10
    SSL VPN Authentication
    Failed
    username@ourdomain.ca
    [public IP]
    N/A
    Local,AD
    User username@ourdomain.ca failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials
    17711

    - Interestingly enough, another tech trying the same account sign-in from a different PC and IP address gets authenticated correctly, but only on the second attempt:

    Authentication
    2021-08-18 01:28:40
    Firewall Authentication
    Successful
    username@ourdomain.ca
    [Local IP]
    SSLVPN
    User username@ourdomain.ca of group [Group name] logged in successfully to Firewall through authentication mechanism from [Local IP]
    17701
    Authentication
    2021-08-18 01:28:39
    SSL VPN Authentication
    Successful
    username@ourdomain.ca
    		 [Public IP]
    N/A
    AD
    User username@ourdomain.ca authenticated successfully to login to SSLVPN through AD authentication mechanism
    17710
    Authentication
    2021-08-18 01:27:37
    SSL VPN Authentication
    Failed
    username@ourdomain.ca
    		 [Public IP]
    N/A
    Local,AD
    User username@ourdomain.ca failed to login to SSLVPN through Local,AD authentication mechanism because of wrong credentials
    17711

    Any other suggestions?

  • FormerMember
    0 FormerMember in reply to Service TAG

    Hey, Sorry for the late response, This post didn't show up in my feed. Can you check the Access_server logs for this behavior?

    Get the SSH Access. Navigate to Option 5 > Option 3  Advanced shell --> tail -f /log/access_server.log 

    Attempt to login and share the logs