Users are unable to authenticate using Defender Tokens after an upgrade to Checkpoint Firewall or install of Sonicwall VPN. After entering the Synchronous Response they are repeatedly prompted to re-enter, as if Defender did not receive the response.
The DSS Logs show the attempt at authentication, however log "authentication abandoned user" and the user subsequently is unable to login using their Defender Token.
Unsupported Protocol set for VPN Access via the Firewall
Usernames are required to be case sensitive by the VPN device.
Ensure that the scenario meets the following criteria:
- Create a test policy which requires the Active Directory (AD) Password followed by Defender Token Response (unless this is already being used).
- Associate the Policy with a Test user.
- Using the above policy, check the DSS Log to see if Defender logs the user's AD Authentication (note: To meet this criteria, the AD Authentication should NOT be logged in the DSS Log.)
- Create another test Policy in Defender for Defender Password Only.
- Associate this Policy to the test user and set a Password for Defender Access on the Defender Tab in User Properties.
- Test. At this point we expect that this too will fail.
- Remove any Policies or settings from the test user that were completed in the steps listed above (return the Test user to its original state).
Check the Protocol being used by the Firewall. Defender does not support MSChapv2 for VPN Connections and PAP should be selected, if available, as Defender supports PAP authentication.
- Usernames may be required to be case sensitive by the VPN device for additional security, therefore, make sure the user types the username into the VPN client with the same case as it appears in the users list within the VPN device users' settings.