SSL-VPN Authentication with PIN and Password failed
12.7.2 U2
Testing AuthPoint with SSL-VPN
In Policy Manager > VPN > SSL I have AuthPoint as the default authentication method, follwed by AD
Logging into the VPN, I get the push notification from AuthPoint and approve it.
Then I receive this message:
Authentication with PIN and Password failed.
Could not download configuration from server, would you like to try the most recent configuration?
Choosing yes the VPN connection fails and brings me back to the login screen.
If I change the authentication method back to AD as the primary, I'm able to establish the VPN connection fine.
In AuthPoint configuration I have an Authentication Policy for SSL-VPN, with the LDAP Group "IT", Resource type is
Firebox, with OTP/Password/QR Code/Push as Authentication Options.
Am I missing something here?
Thanks,
- Doug
It's usually something simple.
Comments
Hi @shaazaminator
That means the firebox got a reject from the Authentication server for some reason. I'd suggest looking at the traffic monitor on the firebox to see what the response was, as that'll give you a better idea on where to look for the issue.
The popup box is just the client offering to connect using the cached profile, which will also fail if authentication is being rejected to the firewall.
-James Carson
WatchGuard Customer Support
Figured it out, my fault.
Neglected to create an Authentication Group in the FB SSL Configuration that matched the group created in AuthPoint Groups.
Worked fine after that.
Yeah, I know, RTFM.
It's usually something simple.
That's why I usually use SSLVPN-Users in AD, and when I sync to AuthPoint I make an AuthPoint group called AuthPoint-Sync that doesn't do anything but Anchor my LDAP groups to AuthPoint and then I use the "Create Group" checkbox in the LDAP group sync configuration.
Then you can use your old SSLVPN-Users group and it not be an issue when you do a cutover to AuthPoint
This is a good idea.