SSL-VPN Authentication with PIN and Password failed

12.7.2 U2

Testing AuthPoint with SSL-VPN

In Policy Manager > VPN > SSL I have AuthPoint as the default authentication method, follwed by AD

Logging into the VPN, I get the push notification from AuthPoint and approve it.

Then I receive this message:

Authentication with PIN and Password failed.
Could not download configuration from server, would you like to try the most recent configuration?

Choosing yes the VPN connection fails and brings me back to the login screen.

If I change the authentication method back to AD as the primary, I'm able to establish the VPN connection fine.

In AuthPoint configuration I have an Authentication Policy for SSL-VPN, with the LDAP Group "IT", Resource type is
Firebox, with OTP/Password/QR Code/Push as Authentication Options.

Am I missing something here?

Thanks,

  • Doug

It's usually something simple.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator
    That means the firebox got a reject from the Authentication server for some reason. I'd suggest looking at the traffic monitor on the firebox to see what the response was, as that'll give you a better idea on where to look for the issue.

    The popup box is just the client offering to connect using the cached profile, which will also fail if authentication is being rejected to the firewall.

    -James Carson
    WatchGuard Customer Support

  • Figured it out, my fault.
    Neglected to create an Authentication Group in the FB SSL Configuration that matched the group created in AuthPoint Groups.
    Worked fine after that.
    Yeah, I know, RTFM.

    • Doug

    It's usually something simple.

  • That's why I usually use SSLVPN-Users in AD, and when I sync to AuthPoint I make an AuthPoint group called AuthPoint-Sync that doesn't do anything but Anchor my LDAP groups to AuthPoint and then I use the "Create Group" checkbox in the LDAP group sync configuration.

    Then you can use your old SSLVPN-Users group and it not be an issue when you do a cutover to AuthPoint

  • EugEug
    edited November 2022

    @Tristan.Colo said:
    That's why I usually use SSLVPN-Users in AD, and when I sync to AuthPoint I make an AuthPoint group called AuthPoint-Sync that doesn't do anything but Anchor my LDAP groups to AuthPoint and then I use the "Create Group" checkbox in the LDAP group sync configuration.

    Then you can use your old SSLVPN-Users group and it not be an issue when you do a cutover to AuthPoint

    This is a good idea.

Sign In to comment.