Wireless: LHM - Session creation failed: The request for authorization failed.

03/26/2020 9 People found this article helpful 196,844 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

Wireless: LHM - Session creation failed: The request for authorization failed.

Resolution

LHM Overview

Configuration Example

In this example, the wireless client is 172.16.4.2, the WLAN interface is 172.16.4.1, the LAN interface is 10.50.161.113, and the ABE is on the LAN with IP 10.50.161.119.  Here are the basic steps for configuration (as it pertains to this example):

1.      WLAN Zone > Guest Services > Enable Wireless Guest Services

2.      WLAN Zone > Guest Services > Enable External Guest Authentication, then click Configure

3.      WLAN Zone > Guest Services > EGA > General > Web Server - 10.50.161.119 (HTTP port 80)

4.      WLAN Zone > Guest Services > EGA > Auth Pages > Login Page - default.aspx

Steps 3 and 4 tell the SonicWall to redirect the guest to http://10.50.161.119/default.aspx

Once configuration is complete, make note of these auto-created objects:

Guest Auth Server Address Object

This is an address object for the server defined at WLAN Zone > Guest Services > EGA > General > Web Server.  Notice that it’s in the WLAN zone.  This is correct, even though the server is actually in the LAN zone.  If the server was out on the Internet (WAN zone), the object would still be assigned to the WLAN zone. 

External Guest Auth Service Object

This is a service object for External Guest Authentication, which is used when the LHM server posts the session authorization back to the SonicWall.

External Guest Auth NAT Policy

This is a NAT policy for the session authorization post from the LHM server.  Notice the inbound/outbound interfaces are X0, and the original destination is X0 IP.  This is because the session authorization post will be coming from the webserver, which is on the LAN (X0).  If the webserver were on the WAN, then the inbound/outbound interfaces would be X1, and the original destination would be X1 IP.

External Guest Auth Access Rule

This is the access rule that allows the webserver to post the session authorization to the SonicWall’s X0 interface IP on TCP port 4043. 

If the server were on the WAN, then the access rule would look like this:

Troubleshooting

The user is redirected to the default.aspx page on the webserver, but after entering his credentials, he gets this message:

Session creation failed:  The request for authorization failed…

and the firewall log shows this:

TCP connection dropped - 10.50.161.120, 1291, LAN – 10.50.161.113, 4043, LAN - TCP iMesh

This is the session authorization attempt from the webserver (TCP 4043), which should be allowed by the access rule automatically created (see object #4 above).  If the firewall is dropping this connection attempt, check to see if the access rule exists.  Also, check the source address in the log message - the TCP connection attempt should be coming from the Guest Auth Server defined at WLAN Zone > Guest Services > EGA > General > Web Server.

Related Articles

• Bandwidth usage and tracking in SonicWall
• How to force an update of the Security Services Signatures from the Firewall GUI
• Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Categories

• Firewalls > TZ Series
• Firewalls > SonicWall SuperMassive E10000 Series
• Firewalls > SonicWall SuperMassive 9000 Series
• Firewalls > SonicWall NSA Series