User Not in Authorized Group for Mobile VPN with SSL

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

When you configure Mobile VPN with SSL, you specify the users and groups who are allowed to connect. When a user tries to connect, if the authentication server does not include a group that matches a Mobile VPN with SSL group configured on the Firebox, authentication fails even when user credentials are correct.

Symptoms

When the authentication server does not include a group that matches a Mobile VPN with SSL group on the Firebox, you might notice these symptoms:

• Multiple users cannot connect to the VPN despite valid credentials and group membership.
• Some users might authenticate successfully.
• One or both of these admd Firebox log messages show for the time of the authentication attempt:
  • Authentication failed: user user@authserver isn't in the authorized SSLVPN group/user list!
  • Authentication of Firewall user [user@authserver] from x.x.x.x was rejected, user is not in right group msg_id="1100-0005"

Diagnostic Steps

1. Verify that the user belongs to the correct group on the authentication server.
2. Reproduce the issue. To verify the group that the authentication server returns, review the authentication server log messages at the time of the authentication attempt. For RADIUS servers, verify that the server returns the correct group name in the Filter-ID attribute.
3. Compare the group name or Filter-ID value from the authentication server to the group name on the Firebox. The values must match exactly. Verify the spelling and the exact use of uppercase and lowercase letters and leading or trailing spaces.
4. Verify that the group on the Firebox is associated with the correct authentication server.
5. Verify that the correct users or groups are selected in the Mobile VPN with SSL configuration.

Possible Causes and Solutions

Possible Cause	Solution
The user is not a member of the correct group on the authentication server.	Add the user to the correct Active Directory, LDAP, or RADIUS group.
(RADIUS only) The RADIUS authentication server does not return the correct group value.	Update the Filter-ID attribute on the RADIUS server. For more information about RADIUS authentication and the Firebox, go to How RADIUS Server Authentication Works.
(Locally-managed Fireboxes only) The group name on the Firebox does not exactly match the group name on the authentication server.	Update the group name on the Firebox or update the authentication server group name or RADIUS Filter‑ID attribute so that the spelling and capitalization match exactly. For information about how to update the group name on the Firebox, go to Use Users and Groups in Policies.
The correct group exists on the authentication server but is not selected in the Mobile VPN with SSL configuration.	Add the group to the Mobile VPN with SSL configuration. For more information, go to: Locally-Managed: Add Users and Groups Cloud-Managed: Add Users and Groups
The Mobile VPN with SSL group on the Firebox is associated with an incorrect authentication server.	Update the authentication server in the Mobile VPN with SSL configuration. For more information, go to Incorrect or Unreachable Authentication Server for Mobile VPN with SSL.

Related Topics

Troubleshoot Mobile VPN with SSL

About Mobile VPN with SSL