Wireless: LHM - Session creation failed: The request for authorization failed.
03/26/2020 
9 
12868
DESCRIPTION:
Wireless: LHM - Session creation failed: The request for authorization failed.
RESOLUTION:
LHM Overview
Configuration Example
In this example, the wireless client is 172.16.4.2, the WLAN interface is 172.16.4.1, the LAN interface is 10.50.161.113, and the ABE is on the LAN with IP 10.50.161.119. Here are the basic steps for configuration (as it pertains to this example):
1. WLAN Zone > Guest Services > Enable Wireless Guest Services
2. WLAN Zone > Guest Services > Enable External Guest Authentication, then click Configure
3. WLAN Zone > Guest Services > EGA > General > Web Server - 10.50.161.119 (HTTP port 80)
4. WLAN Zone > Guest Services > EGA > Auth Pages > Login Page - default.aspx
Steps 3 and 4 tell the SonicWall to redirect the guest to http://10.50.161.119/default.aspx
Once configuration is complete, make note of these auto-created objects:
Guest Auth Server Address Object
This is an address object for the server defined at WLAN Zone > Guest Services > EGA > General > Web Server. Notice that it’s in the WLAN zone. This is correct, even though the server is actually in the LAN zone. If the server was out on the Internet (WAN zone), the object would still be assigned to the WLAN zone.
External Guest Auth Service Object
This is a service object for External Guest Authentication, which is used when the LHM server posts the session authorization back to the SonicWall.
External Guest Auth NAT Policy
This is a NAT policy for the session authorization post from the LHM server. Notice the inbound/outbound interfaces are X0, and the original destination is X0 IP. This is because the session authorization post will be coming from the webserver, which is on the LAN (X0). If the webserver were on the WAN, then the inbound/outbound interfaces would be X1, and the original destination would be X1 IP.
External Guest Auth Access Rule
This is the access rule that allows the webserver to post the session authorization to the SonicWall’s X0 interface IP on TCP port 4043.
If the server were on the WAN, then the access rule would look like this:
Troubleshooting
The user is redirected to the default.aspx page on the webserver, but after entering his credentials, he gets this message:
Session creation failed: The request for authorization failed…
and the firewall log shows this:
TCP connection dropped - 10.50.161.120, 1291, LAN – 10.50.161.113, 4043, LAN - TCP iMesh
This is the session authorization attempt from the webserver (TCP 4043), which should be allowed by the access rule automatically created (see object #4 above). If the firewall is dropping this connection attempt, check to see if the access rule exists. Also, check the source address in the log message - the TCP connection attempt should be coming from the Guest Auth Server defined at WLAN Zone > Guest Services > EGA > General > Web Server.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
