Tag Archives: sophos

Windows NPS – Authentication failed with error code 16

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Today, a customer called me and reported, on the first sight, a pretty weired error: Only Windows clients were unable to login into a WPA2-Enterprise wireless network. The setup itself was pretty simple: Cisco Meraki WiFi access points, a Windows Network Protection Server (NPS) on a Windows Server 2016 Domain Controller, and a Sophos SG 125 was acting as DHCP for different WiFi networks.

Pixybay / pixabay.com/ Pixabay License

Windows clients failed to authenticate, but Apple iOS, Android, and even Windows 10 Tablets had no problem.

The following error was logged into the Windows Security event log.

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Wireless Users
Authentication Provider: Windows
Authentication Server: domaincontroller.domain.tld
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The credentials were definitely correct, the customer and I tried different user and password combinations.

I also checked the NPS network policy. When choosing PEAP as authentication type, the NPS needs a valid server certificate. This is necessary, because the EAP session is protected by a TLS tunnel. A valid certificate was given, in this case a wildcard certificate. A second certificate was also in place, this was a certificate for the domain controller from the internal enterprise CA.

It was an educated guess, but I disabled the server certificate check for the WPA2-Enterprise conntection, and the client was able to login into the WiFi. This clearly showed, that the certificate was the problem. But it was valid, all necessary CA certificates were in place and there was no reason, why the certificate was the cause.

The customer told me, that they installed updates on friday (today is monday), and a reboot of the domain controller was issued. This also restarted the NPS service, and with this restart, the Wildcard certificate was used for client connections.

I switched to the domain controller certificate, restarted the NPS, and all Windows clients were again able to connect to the WiFi.

Lessons learned

Try to avoid Wildcard certificates, or at least check the certificate that is used by the NPS, if you get authentication error with reason code 16.

Bypass stateful firewall on a Sophos XG

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Usually, bypassing a firewall is not the best idea. But sometimes you have to. One case, where you want to bypass a firewall, is asymmetric routing.

MichaelGaida/ pixabay.com/ Creative Commons CC0

What is asymmetric routing? Imagine a scenario with two routers on the same network. One router offeres access to the internet, the other router provides access to other sites with site-2-site VPN tunnels.

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Host 1 uses R1 as default gateway. R1 has static routes configured to the networks reachable over the VPN, or it has learned them dynamically using a routing protocol from R2. A packet from host 1 arrives at R1, is routed to R2, and is sent over the VPN tunnel. The answer to this packet arrives at R2, and is sent directly to host 1, because host 1 is the destination. This works because R2 and host 1 are on the same network. This is asymmetric routing, because request and answer go different ways.

In case of routing, this is not a problem. But if R1 is a firewall, this firewall might be stubborn, because it does not see the whole traffic.

Bypass the stateful firewall

I recently had such a setup due to some technical debts. The firewall dropped that “Invalid Traffic”. Fortunately, there is a way to bypass the statefull firewall. You can create advanced firewall rules using the CLI. There is no way to create these rules using the GUI. And this only applies to the Sophos XG (former Cyberoam products).

Console> set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.99.0 source_netmask 255.255.255.0 dest_network 192.168.20.0 dest_netmask 255.255.255.0

Make sure that you have a static or dynamically learned route to the networks. This is not a routing entry, it only tells the firewall what traffic should bypass the stateful firewall.

Sophos UTM Home Edition license expired

This posting is ~9 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sophos offers a free license of their UTM firewall for private use. The product was originally developed by Astaro and since these days I use it at home. After the merger with Sophos I switched to the new Sophos UTM 9, still using my old license. I use it to seperate my test VLAN from my normal VLAN, and I use it as proxy with antivirus scanning for all my devices (iPhone, iPad, laptop etc.), but the UTM can do a lot more than this. This morning I wanted to read my Twitter timeline on my iPhone but I got no connection over WLAN. After disabling the proxy it worked fine. I took a look at the admin interface of my UTM and what did I see? An expired license. WTF?!

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

So I needed a new license file. I couldn’t imagine, that Sophos canceled all the feature for home uses. I went to the Sophos homepage, but I hadn’t a login for MyUTM. So I decied to register for a new UTM download to get credentials for the MyUTM website. After a short time I got an e-mail with the desired credentials. I logged in and downloaded the new license file.

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

After the installation of the new license file, everything was fine again.

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

As you notice, the new license has an expiration date. So better schedule an alarm to get a new one, before you miss your family IT SLAs. Nothing is worse than to have wife and kids complaining about not working IT services at home. ;)