No Client Auth Rules Available

[BarryStiefel]

No Client Auth Rules Available



Client auth rules generally look like this:

Source Destination Service Action User-Group@Allowed-Sources Allowed-Destinations Allowed-Services Client Auth

A particular client auth rule applies when all of the following are true:

• The username specified during the client authentication attempt is in the group User-Group
• The source IP address of your connection to the firewall is in the group Allowed-Sources
• The source IP address of your connection is specified in the username's allowed source (i.e. "Source" under the "Location" tab in the User Properties).

If you are getting the error message, it means that none of the client authentication rules meet all of the above criteria. If you can't figure out why, the latter is usually the culprit.

If nothing is listed in the user's allowed sources, then the user will generally not be able to authenticate from anywhere unless "Ignore User Database" is specified in the Client Authentication Properties. "Any" should be specified here, or at the very least, the desired allowed sources should.

-- PhoneBoy - 30 Dec 2003

FAQForm FAQs.Class: AuthenticationFAQs, TroubleshootingFAQs OperatingSystem?: FAQs.Version:

[rdunnell]

No Client Auth rules can also be caused if you're using the legacy single sign on mechanism (sso-root user) and the system presenting the sso-root credentials is not in the allowed sources for that authentication rule.

For instance, if anyone at 10.1.1.x is allowed to log in, but the server handling single sign-on is at 10.1.2.x presents the credentials, the single sign on will not have any applicable rules even if the user is actually at 10.1.1.x. Add the server using the single sign on account into the group of allowed sources for that rule, and now the user will be properly logged in from 10.1.1.x.

(This is probably a bug or oversight, but might be driving some people nuts. It's probably pretty rare for the sso-root system to be used.)