Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 23088 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Authentication Agent and macOS High Sierra

Bizcocho

Hi forum,

I've tried the XG Authentication Agent for the first time - and I've installed it on the newest macOS High Sierra release. To me, it looks like it doesn't work, as it doesn't connect. I've setup the rules in the XG ruleset, and also given the user access to the virtual SSL VPN.

How to troubleshoot this agent? Are there any log files somewhere to check? And has anyone else tried this agent on High Sierra?

Running XG Home Version beta 17.



This thread was automatically locked due to age.
Parents
  • 0

    You should find some log entries under "Client Authentication Agent" in system.log.

  • 0 in reply to Sivu

    I have opened the Console.app, selected system log and searched for "Client Authentication Agent" and variants of it but I could not find anything. I see the icon of the Client Authentication Agent in the tray bar but it seems inactive.

  • 0 in reply to Federico Tomassetti

    Sorry about that, Apple changed the logging mechanism and now with the unified log, logs are not written to files anymore, but are most of the time in memory. I tested it on my High Sierra 10.13.1 in the Console app and found the log lines, just select your device in the Devices list and then filter after the desired text.

    I also successfully tested latest version 1.2.8 of CAA and it worked, the icon turned orange and the user was live in SFOS. Please make sure to have SFOS as default gateway (because of the 1.2.3.4 IP) and that network connectivity is present, if it still doesn't work then reinstalling the agent alongside with the certificate should work.

  • 0 in reply to Sivu

    I have tried installing multiple times, it did not help for me.

    Now I can see the log, thank you. You have been much more helpful of the support guy (I opened a ticket, the guy just refused to help me in any way, not even helping me to find the logs... not a great experience...)

    I have these messages:

    default 11:46:24.080953 +0100 Client Authentication Agent trying to connect...
    default 11:46:24.082963 +0100 Client Authentication Agent Client disconnected
    default 11:46:24.085830 +0100 Client Authentication Agent TCP Conn [113:0x60400017f980] using empty proxy configuration
    default 11:46:24.085893 +0100 Client Authentication Agent Stream client bypassing proxies on TCP Conn [113:0x60400017f980]
    default 11:46:24.085917 +0100 Client Authentication Agent TCP Conn 0x60400017f980 started
    default 11:46:54.085410 +0100 Client Authentication Agent socket disconnected with error: Error Domain=AsyncSocketErrorDomain Code=2 "Attempt to connect to host timed out" UserInfo={NSLocalizedDescription=Attempt to connect to host timed out}
    default 11:46:54.087450 +0100 Client Authentication Agent TCP Conn 0x60400017f980 canceled
    default 11:47:14.087733 +0100 Client Authentication Agent trying to connect...
    default 11:47:14.089986 +0100 Client Authentication Agent Client disconnected
    default 11:47:14.090241 +0100 Client Authentication Agent TCP Conn [114:0x60000017ecc0] using empty proxy configuration
    default 11:47:14.090272 +0100 Client Authentication Agent Stream client bypassing proxies on TCP Conn [114:0x60000017ecc0]

    I have connectivity, but I am not sure what you mean with "Please make sure to have SFOS as default gateway"

Reply
  • 0 in reply to Sivu

    I have tried installing multiple times, it did not help for me.

    Now I can see the log, thank you. You have been much more helpful of the support guy (I opened a ticket, the guy just refused to help me in any way, not even helping me to find the logs... not a great experience...)

    I have these messages:

    default 11:46:24.080953 +0100 Client Authentication Agent trying to connect...
    default 11:46:24.082963 +0100 Client Authentication Agent Client disconnected
    default 11:46:24.085830 +0100 Client Authentication Agent TCP Conn [113:0x60400017f980] using empty proxy configuration
    default 11:46:24.085893 +0100 Client Authentication Agent Stream client bypassing proxies on TCP Conn [113:0x60400017f980]
    default 11:46:24.085917 +0100 Client Authentication Agent TCP Conn 0x60400017f980 started
    default 11:46:54.085410 +0100 Client Authentication Agent socket disconnected with error: Error Domain=AsyncSocketErrorDomain Code=2 "Attempt to connect to host timed out" UserInfo={NSLocalizedDescription=Attempt to connect to host timed out}
    default 11:46:54.087450 +0100 Client Authentication Agent TCP Conn 0x60400017f980 canceled
    default 11:47:14.087733 +0100 Client Authentication Agent trying to connect...
    default 11:47:14.089986 +0100 Client Authentication Agent Client disconnected
    default 11:47:14.090241 +0100 Client Authentication Agent TCP Conn [114:0x60000017ecc0] using empty proxy configuration
    default 11:47:14.090272 +0100 Client Authentication Agent Stream client bypassing proxies on TCP Conn [114:0x60000017ecc0]

    I have connectivity, but I am not sure what you mean with "Please make sure to have SFOS as default gateway"

Children
  • 0 in reply to Federico Tomassetti

    Thanks for the logs, it looks like the agent can't establish a connection to 1.2.3.4:9922. That's what I meant with having XG set up as the default gateway for your LAN Mac clients, this is required because Client Authentication Agent connects to this magic IP which will be resolved by the Firewall, resulting in communication being established. This is the normal mode of operation.

    Sorry that the support experience was not great.

  • 0 in reply to Sivu

    Thank you Sivu!

    What is not clear to me is if this configuration change should be done on the client (my Mac) or I should ask the administrators of the XG Firewall to do that.

    In the former case can you point me to some documentation?

  • 0 in reply to Federico Tomassetti

    You're welcome. Normally it should be done by the administrator, since if you use DHCP you should also get the gateway information alongside the IP. Alternatively you could set up the default gateway yourself on the Mac. Don't know what kind of setup you have, but option 1 (or something similar) should normally be the case.

  • 0 in reply to Sivu

    Maybe I should clarify my context: I am working from another office outside the company owning the VPN. I am a contractor working remotely for them. My DHCP server is running on the local wifi router in my office and it set my default gateway to 192.168.1.1

    I tried adding as default gateway 1.2.3.4:9922 but I get an error (I can only specify the IP, not the port) and I would expect it to not work anyway, because that address would not be reachable from my WLAN, maybe when I manage to connect to the VPN the VPN can magically resolve it but I am not sure how to do to connect to the VPN in my context.

    Sorry for the basic questions but since the upgrade to macOS High Sierra (weeks ago) I am unable to connect.

  • 0 in reply to Federico Tomassetti

    Client Authentication Agent is intended for clients on those networks who have the XG as default gateway. Obviously the XG is not your default gateway and this raises the question what would it help if Client Authentication Agent is able to connect. Your traffic would not be routed through the XG because its not the default gateway. If you are using it to access some specific subnets and access is granted by XG based on your Identity via Client Authentication Agent, then you could try to install a host route on your macOS, so that traffic destined to 1.2.3.4 will be sent to the XG.

    e.g. sudo route -n add -host 1.2.3.4 <XG's IP>