3

VPN

Last Update il y a un an

WatchGuard: Authentication Requests Timing Out Cisco ASA: Connection Times Out After 12 Seconds WatchGuard: User authenticates with LoginTC and then fails authentication

WatchGuard: User authenticates with LoginTC and then fails authentication

If the user is successfully authenticated for first and second factor and then WatchGuard appliance fails the request it could be due to incorrect Group Settings.


If you are using a Mobile VPN protocol such as SSL and are unable to authenticate, check that your Group Attributes are configured correctly.


Navigate to your **WatchGuard Web UI** and click **Dashboard** in the left-hand navigation bar:

Click on **Traffic Monitor**:

Select **Diagnostic** from the table header options:

If you can find the following error message then there is a problem with your Group Attribute settings:


<pre>


2015-XX-XX 16:52:41 admd Authentication failed: user username@RADIUS isn't in the authorized SSLVPN group/user list!


</pre>


Search for the following error message:


<pre>


2015-XX-XX 16:59:52 admd RADIUS: no attribute-value pair is retrieved from packet


</pre>


If found, it means that the RADIUS Connector is not sending back any Group Attribute information. Navigate to your appliance


**web interface** and click **Configurations**. Select the domain you're having problems with:

Click the **Edit Button** in the **First Factor** section:

Scroll down to the to the **Group Attribute** section:



1. If "None" is selected, change it to "Specify a group attribute". [Click here](#group-attribute-access-control) to review how to configure the


Group Attribute for SSL

2. Otherwise, check that your user is a member of the specified group in the LDAP Directory. If they are not, it


will cause RADIUS to return a blank attribute.

If you find a log message similar to this:


<pre>


2015-XX-XX 16:52:41 admd RADIUS: finished parsing attribute-value pairs


2015-XX-XX 16:52:41 admd RADIUS: group 1, type=11 value=L2TP-Users


2015-XX-XX 16:52:41 admd RADIUS: retrieve VP:Filter-Id(11) int=10


</pre>



Then the RADIUS server is sending back a Group Attribute, but it may not be the correct one.



Check that the **value** is the name of the group that has been added to list of groups authorized to


authenticate with SSL. Log into the **WatchGuard Web UI** and select **VPN** from the left-hand


navigation bar. Click on **Mobile VPN with SSL** :

Click on the **Authentication** tab:

The bottom table contains the list of groups that are authorized to connect with SSL. If the group returned


by the RADIUS server is not part of it, it must be added. Click the **Add** button:

Type in the group name and select **RADIUS** as the Authentication Server:

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us