topic Re: Remote VPn certificate based authentication issue. in Firewall and Security Management

Remote VPn certificate based authentication issue.

Prasaddere — Thu, 12 Dec 2024 14:02:14 GMT

We have configured Certificate based authentication but we are getting message on VPN client that "User Account Expired 31 Dec 2020"

When user connect from Client to VPN, it shows user Certificate but whne he connect, it give above error message.

We have already added Root CA in Trusted CA and issuing CA in Subordinate CA.

Generated CSR and got the Certificate from Internal CA

Selected Personal Certificate in Authetication in VPN Client as well in Mobile Access.

In Mobile access, Portal setting added another internal CA certification.

Re: Remote VPn certificate based authentication issue.

CaseyB — Thu, 12 Dec 2024 14:10:43 GMT

Is this field set properly for the user account in question?

Re: Remote VPn certificate based authentication issue.

Prasaddere — Thu, 12 Dec 2024 14:29:32 GMT

Actually user which we are tring to connect is on AD not locally.. We have other users where there Account was expired on 31 dec 2020 which are on locally on checkpoint.

Re: Remote VPn certificate based authentication issue.

Prasaddere — Thu, 12 Dec 2024 14:47:22 GMT

Below is the Message in Traffic logs

Main Mode Sent Notification to Peer: Client Encrypt Notification: User account expired on 31-Dec-2020.

User account expired on 31-Dec-2020. ---This data is picked up from the checkpoint only in the backend but not sure from where?

Re: Remote VPn certificate based authentication issue.

PhoneBoy — Thu, 12 Dec 2024 16:14:06 GMT

It might be in the generic* user that you need to change the expiration on.
The only way to find this user (if it's indeed defined in your environment) is via SmartDashboard (not SmartConsole).
Otherwise, I suggest contacting TAC.

Re: Remote VPn certificate based authentication issue.

JozkoMrkvicka — Thu, 12 Dec 2024 20:46:57 GMT

Even if you are using AD for authentication, some settings are inherit from default password templates. Check following:

LDAP Account Unit -> double click on correct AU -> Authentication -> Section "Users' default values". If "use user template" checkbox is ticked, then see which user template is used.

Search for this user template in "User Templates" within object explorer. Open affected template and right in General tab you can see Expiration of this template (which is valid for all users, not just locally configured).

If inside the user template you have "According to Global Properties", head to Global Properties -> User Accounts and there you should see Expiration.

Re: Remote VPn certificate based authentication issue.

Prasaddere — Fri, 13 Dec 2024 06:21:15 GMT

Thanks, After changing the expiration on generic* user, message has gone but getting another message now on Endpoint security client that "Main Mode Sent Notification to Peer: Client Encrypt Notification: Access denied - wrong user name or password "