Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 838 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After 9.1 => 9.2 xauth against AD broken

Chris69
Hi there,
today I updated both HA nodes from 9.1 to 9.201-25.
Of course I did not change any configuration!

Since then some users called for a non working VPN.

i figured out the following:

L2TP over IPsec is still working, authenticating against RADIUS
IPSEC is broken but ONLY when authenticating useres against AD: 
"...no connection has been authorized with policy=XAUTHPSK+XAUTHSERVER"

If i use a RADIUS-based Usergroup it works like all the other days.

Communication to the AD-Server itself is fine, I can read the entire AD from the UTM, can recreate the AD-Group-limited Usergroup and can succesfully prefetch users.

ipsec restart did not help of course and it is still strongSwan 4 and not 5.x (4.4.1git20100610)

Any Ideas?

Thanks - Chris


This thread was automatically locked due to age.
  • 0
    Chris,

    I'm confused by your post.  In Remote Access IPsec, you can't specify users by a backend group - neither with AD nor with RADIUS.

    Cheers - Bob
    PS Moving this thread to the VPN Forum.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi Bob,
    I double checked it once again:

    Under RA => IPSEC => Allowed Users
    you can add groups of AD or RADIUS authenticated users.

    It worked for a year for me under 9.x, since 9.2 RADIUS is still working but AD is broken.
    But it confuses me, too, that everything related to AD is working (Test under authentication servers, user prefetch, reading AD groups...) but IPSEC cannot get used to this group anymore.

    Cheers - Chris
  • 0
    I'd never tried IPsec Remote Access with a PSK in the ASG/UTM/SG, so I didn't know it was possible to do XAUTH with a Backend Group. [:O]

    You might find a hint in your server logs, Chris, but I would have your reseller open a support case with Sophos.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML