topic VPN Client Enforcing Settings Not Configured in Gateway in SASE and Remote Access

VPN Client Enforcing Settings Not Configured in Gateway

tmorgan — Thu, 22 Feb 2024 21:31:38 GMT

The first experience I am getting is this....

The gateway is configured to perform "Single Authentication" / "Compatibility with Older clients". The authentication method is RADIUS and is not configured to ask for password as first challenge. There is no "MultiAuthenicaiton client settings" configured. All fairly standard stuff.

If you take a clean installer it will connect to the gateway and the ask for the username but the password field will be greyed out (as i would expect). You click next enter the RADIUS prompt and the client throws a wobbly that the password is wrong. Slightly less standard stuff!

If I install the customers customised installer then the client will ask me for the username and the password move onto the RADIUS token then let me login.

So obviously the client has been configured at some point in this environments long and distant past to require the user to provide the password regardless... but what gives with the gateway? Where is the setting requiring the password... but not requiring the password is some strange setting in the gateway I just cant find? Is this a 'feature'? What am I missing?

The second strange experience I am getting is...

You try and connect to the Gateway using a domain machine you are let in without issue. You try and connect using a non-domain machine and you can connect but get a message in the client isnt a member of the domain and you can access internal resources. However if you add a registry entry with the domain name under System\CurrentControlSet\Services\Tcpip\Parameters\Domain then you can get in without issue.

So you think maybe Mobile Access is configured to perform compliance Checking. You look at the Gateway Properties -> Mobile Access -> Endpoint compliance but its disabled. So you open up the local.scv file on the gateway but this is a completely standard unedited file.

Facts and Figures

OS/version of the client PC = Windows 10 / Windows 11
Version of Remote Access client = It looks like this experience has been the same for years, current version 87.30.
Exact version/JHF take level of gateway = Its been configured like this since R77 days. Current version is R81.10.
For Endpoint/Remote Access, please include the client versions = eh?
A simplified network diagram is always appreciated = Fairly standard Internet -> Gateway -> Internal network, not sure its required for this post.
References to precise documentation you followed, the results you were expecting, and the results = None
Relevant screenshots are helpful = Not sure these are too helpful at this point this is all fairly standard messages.

Re: VPN Client Enforcing Settings Not Configured in Gateway

the_rock — Fri, 23 Feb 2024 03:08:55 GMT

I would definitely see if you can do remote with TAC for this...sounds like it may need some more investigation.

Best,

Andy

Re: VPN Client Enforcing Settings Not Configured in Gateway

tmorgan — Fri, 23 Feb 2024 15:01:17 GMT

Yeah I had a feeling that was the case. I just wanted to see if there was any obvious points I had missed. I tend to try and avoid CP TAC as it tends to be a bit... abrasive... in the UK.

Re: VPN Client Enforcing Settings Not Configured in Gateway

the_rock — Fri, 23 Feb 2024 15:02:48 GMT

I hear ya. Lets see if others will have some ideas.

Best,

Andy

Re: VPN Client Enforcing Settings Not Configured in Gateway

tmorgan — Thu, 04 Apr 2024 19:38:40 GMT

So a quick update on this one. After a lot of back an forwards with TAC I am starting to suspect that whoever did the last major upgrade on this firewall copied the state files on the gateways instead of the config files on the SMS eg $FWDIR/state/ instead of $FWDIR/conf/.

I have been given the below advice from TAC. However, to a number of issues in this environment I suspect I am going to recommend a clean install to R81.20 in the hope to move us to a known, and soon to be documented, condition.

SCV configuration is incomplete without enabling "policy server" blade on the FW.

After making the changes on the $FWDIR/conf/local.scv file in the MGMT server.
During policy installation, $FWDIR/conf/local.scv file in the MGMT is copied to following locations:
$FWDIR/state/<Name_of_GW_Object>/PS ------- of the MGMT server
$FWDIR/state/local/PS/ -------- of the Security Gateway

In our case,
$FWDIR/state/ - files are not default
$FWDIR/conf/ - files are default

We believe that those are have become corrupt.

I'm attaching $FWDIR/conf/local.scv file from my Lab MGMT server (R81.10 take 130) in the outgoing folder of SFTP server.

>Backup the files:
$FWDIR/state/<Name_of_GW_Object>/PS ------- of the MGMT server
$FWDIR/state/local/PS/ -------- of the Security Gateway

>Download the local.scv file from the SFTP server
>Load it in $FWDIR/conf/ of the MGMT server.
>Install the database
>Install the policy

This should resolve your issue.