Client Authentication Agent and macOS High Sierra

Is your XG configured as the default gateway on macOS?

This is required to make that feature work.

Are you running this on a production XG or your home version?

If the home version you should be asking the question in the Beta forum.

Ian

Same here: the agent is not doing anything and there is no feedback at all on the issue

You should find some log entries under "Client Authentication Agent" in system.log.

I have opened the Console.app, selected system log and searched for "Client Authentication Agent" and variants of it but I could not find anything. I see the icon of the Client Authentication Agent in the tray bar but it seems inactive.

Sorry about that, Apple changed the logging mechanism and now with the unified log, logs are not written to files anymore, but are most of the time in memory. I tested it on my High Sierra 10.13.1 in the Console app and found the log lines, just select your device in the Devices list and then filter after the desired text.

I also successfully tested latest version 1.2.8 of CAA and it worked, the icon turned orange and the user was live in SFOS. Please make sure to have SFOS as default gateway (because of the 1.2.3.4 IP) and that network connectivity is present, if it still doesn't work then reinstalling the agent alongside with the certificate should work.

I have tried installing multiple times, it did not help for me.

Now I can see the log, thank you. You have been much more helpful of the support guy (I opened a ticket, the guy just refused to help me in any way, not even helping me to find the logs... not a great experience...)

I have these messages:

default 11:46:24.080953 +0100 Client Authentication Agent trying to connect...
default 11:46:24.082963 +0100 Client Authentication Agent Client disconnected
default 11:46:24.085830 +0100 Client Authentication Agent TCP Conn [113:0x60400017f980] using empty proxy configuration
default 11:46:24.085893 +0100 Client Authentication Agent Stream client bypassing proxies on TCP Conn [113:0x60400017f980]
default 11:46:24.085917 +0100 Client Authentication Agent TCP Conn 0x60400017f980 started
default 11:46:54.085410 +0100 Client Authentication Agent socket disconnected with error: Error Domain=AsyncSocketErrorDomain Code=2 "Attempt to connect to host timed out" UserInfo={NSLocalizedDescription=Attempt to connect to host timed out}
default 11:46:54.087450 +0100 Client Authentication Agent TCP Conn 0x60400017f980 canceled
default 11:47:14.087733 +0100 Client Authentication Agent trying to connect...
default 11:47:14.089986 +0100 Client Authentication Agent Client disconnected
default 11:47:14.090241 +0100 Client Authentication Agent TCP Conn [114:0x60000017ecc0] using empty proxy configuration
default 11:47:14.090272 +0100 Client Authentication Agent Stream client bypassing proxies on TCP Conn [114:0x60000017ecc0]

I have connectivity, but I am not sure what you mean with "Please make sure to have SFOS as default gateway"

Thanks for the logs, it looks like the agent can't establish a connection to 1.2.3.4:9922. That's what I meant with having XG set up as the default gateway for your LAN Mac clients, this is required because Client Authentication Agent connects to this magic IP which will be resolved by the Firewall, resulting in communication being established. This is the normal mode of operation.

Sorry that the support experience was not great.

Thank you Sivu!

What is not clear to me is if this configuration change should be done on the client (my Mac) or I should ask the administrators of the XG Firewall to do that.

In the former case can you point me to some documentation?

You're welcome. Normally it should be done by the administrator, since if you use DHCP you should also get the gateway information alongside the IP. Alternatively you could set up the default gateway yourself on the Mac. Don't know what kind of setup you have, but option 1 (or something similar) should normally be the case.