- CheckMates
- :
- Products
- :
- Harmony
- :
- Endpoint
- :
- Re: VPN Site Push Failing from R81.20
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Site Push Failing from R81.20
Just an FYI for anyone else trying this.
If you attempt to perform a Push Operation to add a VPN Site using [Login Option: "Standard"] and [Authentication Method: Username/Password] it will silently fail the operation on the client.
This is because it runs the following command on the remote machine:
create -s "REDACTED" -di "REDACTED" -lo "Standard" -a "username-password" -f "REDACTED_SIGNATURE"
The issue is that using the [-a ""] parameter with [-lo "standard"] results in the error "Standard: does not need authentication method"
The Infinity Portal needs to be reprogrammed to not sent the [-a "username-password"] parameter if [-lo "Standard"] is already specified.
Running this command manually on the workstation adds the VPN Site correctly:
create -s "REDACTED" -di "REDACTED" -lo "Standard" -f "REDACTED_SIGNATURE"
--------------
FIX:
When using Radius authentication you must use Custom Login Option and manually enter "RADIUS Logon Options" in the field below. The text is case sensitive.
Action: Add VPN Site
Server Name (or IP): 10.1.1.1
Use Custom Login Option: Checked
Login Option (Manually entered Case sensitive): RADIUS Logon Options
Authentication Method: Other
Fingerprint: LONG STRING OF WORD GOES HERE
Remote Access Gateway Name: Gateway_Name
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Andrew_Scott,
Regarding the behavior.
Whether to specify the authentication method or not during the site creation command depends on gateway settings.
If for "Single Authentication Clients setting" the admin defines a specific authentication method, then you can not use the -a in the "trac create" command:
trac create -s "REDACTED" -di "REDACTED" -lo "Standard" -f "REDACTED_SIGNATURE"
But if the admin leaves the default value, then the authentication method parameter is required in the "trac create" command:
trac create -s "REDACTED" -di "REDACTED" -lo "Standard" -a "username-password" -f "REDACTED_SIGNATURE"
Since the Push Operation sends the full command, including the -a when choosing the "Standard" option, you need to make sure the gateway is configured to the default setting "Defined On User Record (Legacy)".
We are adding a clarification in the Harmony Endpoint EPMaaS Administration Guide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know exactly what you are talking about. I had not dealt with this myself in a while, but sounds familiar. Maybe ask if you can work with someone in Endpoint team, because if ticket went to firewall team, they most likely would not be familiar with this.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Andrew_Scott,
Regarding the behavior.
Whether to specify the authentication method or not during the site creation command depends on gateway settings.
If for "Single Authentication Clients setting" the admin defines a specific authentication method, then you can not use the -a in the "trac create" command:
trac create -s "REDACTED" -di "REDACTED" -lo "Standard" -f "REDACTED_SIGNATURE"
But if the admin leaves the default value, then the authentication method parameter is required in the "trac create" command:
trac create -s "REDACTED" -di "REDACTED" -lo "Standard" -a "username-password" -f "REDACTED_SIGNATURE"
Since the Push Operation sends the full command, including the -a when choosing the "Standard" option, you need to make sure the gateway is configured to the default setting "Defined On User Record (Legacy)".
We are adding a clarification in the Harmony Endpoint EPMaaS Administration Guide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So we were using Radius settings. Here's the actual settings that works on the client side. The issue is that you have to manually enter "RADIUS Logon Options" in the Login Option field and it's case sensitive.
Fields are filled in with sample values.
Action: Add VPN Site
Server Name (or IP): 10.1.1.1
Use Custom Login Option: Checked
Login Option (Manually entered Case sensitive): RADIUS Logon Options
Authentication Method: Other
Fingerprint: LONG STRING OF WORD GOES HERE
Remote Access Gateway Name: Gateway_Name
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Andrew_Scott,
This is by design according to the Harmony Endpoint EPMaaS Administration Guide:
Login Option |
Login option for the server. By default, Standard login option is selected. To use a custom login option, select Use Custom Login Option checkbox, and enter the login option. This must match the Display Name specified in the GW properties > VPN Clients > Authentication > Multiple Authentication Clients Settings in the SmartConsole For example, SAML IDP. |
![](/skins/images/74119E49EB1AA30407316FFB9151D237/responsive_peak/images/icon_anonymous_message.png)