Sophos Connect Client with OTP

Hi,

I like the new feature of a free IPSEC client introduced with 17.5. As far as In know the CPU load of IPSEC-VPN on the gateway is much lower. I have just tested it and I experienced one issue which somebody else might have discovered.

Sophos connect client without OTP for local user authentication: Working fine, connection establised quickly and network behind XG reachable.

Then I activated OTP for the user on the XG and re-configured the connection with Sophos connect admin, simply activated "Prompt for 2FA": Unfortunately it does not connect, an authentication error occurs. Checking the VPN log I found all entries comperable until an authenication is logged:

[IKE] <IPSEC_VPN | 10> Xauth authetication of 'user' (myself) failed.

Of course without OTP the authenication at that point is successful. Anyone who has successfully used Sophos Connect client with OTP?

BTW: Use of OTP with SSL VPN was succesful, the OTP has to be added directly to the password. So can't be a problem with OTP in general.

Cheers
Dirk

  • Hi Dirk,

    It does work with OTP, first you would need to enable for IPsec Remote access which is enabled by default. Then simply use Sophos Authenticator and sync with QR code in the user portal. 

    The configuration file is the same for all users which is downloaded from admin web console along with the setup. Enter the username and password (password + otp).

    Refer KBA-> community.sophos.com/.../125228

  • In reply to Aditya Patel:

    This should not be suggested answer as it does not address what's being experienced. The OTP is setup fine and we use it extensively for the "legacy" SSLVPN client without issues and OTP authenticates fine with user portal. 

     

    When using Sophos Connect with customized config file to prompt for MFA the code does not work. Once we load a config that does not prompt for OTP it works perfectly fine.

     

    Either there is a bug with Sophos Connect not accepting OTP or Dir and I are missing something.

     

    Please Help! :)

  • In reply to Brad Dworkin:

    Brad is absolutely correct, my tests with the same user on a XG also shows:

    • SSL VPN with OTP working fine (OTP code entered directly after the password)
    • Sophos IPSec Client without OTP working fine
    • Sophos IPSec Client with OTP not working (config file adjusted be means of Sophos connect admin: acivated prompt for 2FA

    @Aditya: Thanks for your reply! I am familiar with activating OTP since I am using it for SSL VPN with my customers. I re-ckecked and also follwed the guidelines from here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html

    But I still do end up with an authentication error ([IKE] <IPSEC_VPN | 10> Xauth authentication of 'user' (myself) failed.

    Any idea or suggestion?

    Dirk

  • In reply to Dirk Sterzenbach:

    Hello Dirk,

     

    Was checking this thread and I wanted to know if the problem with OTP and Sophos Connect got resolved? Please let me know.

     

    Ramesh

  • In reply to rmk_2018:

    Hi Ramesh.

    I'm on a buisness trip these days, but I will revert when I have re-checked the issue after the new SF-OS release 17.5.3. I guess I saw some remarks about a new version of Sophos Connect cCient with this release.

    Cheers Dirk

  • In reply to Dirk Sterzenbach:

    Hello Dirk,

     

    The current release of Sophos Connect is 1.2. This release is available for download with any version of v17.5.x. So please download the latest version of Sophos Connect and provide feedback if it worked for you.

    Ramesh

  • In reply to rmk_2018:

    Sadly, problem still exists. We love the way this looks and deploys but cannot deploy out into wild with today's security landscape if OTP does not work. It's disappointing this still is not addressed.

  • In reply to Brad Dworkin:

    Anyone out there able to confirm yet if Sophos Connect VPN is compatible with OTP?   In the process of rolling out new VPN on 17.5.  Thanks

  • In reply to momentum:

    Hello All,

    Yes it is confirmed that Sophos Connect VPN is compatible with OTP. If you are using OTP with tgb file then you enter passwordOTP with NO comma or space between with password and OTP. The two are entered as a single string.

     

    If you are using Sophos Connect Admin to configure the policy, then you will get separate prompt for OTP.

     

    Please let us know after you give that a try.

    Ramesh

  • In reply to rmk_2018:

    I challenge that response. While it maybe listed as supporting OTP, it clearly is not funcitoning correctly. Whether I try via TGB or with OTP prompt it fails. It works great without it and of course on the classic SSLVPN. 

  • In reply to Brad Dworkin:

    Hello Brad,

    I think there is some configuration or user error because I have rechecked user authentication by connecting Sophos Connect with multiple XG gateways and it works. 

    Ramesh

  • In reply to rmk_2018:

    Setup of Sophos Connect + OTP on XG330_WP02_SFOS 17.5.3 MR-3 worked out great.  AD user on win7 laptop running the Sophos Connect VPN client + Sophos Authenticator app on an ios device.  No problems here so far. 

  • In case it helps others, I found that OTP for Sophos Connect did not work if I had enabled Sophos Connect before I enabled OTP. I had the same experience as the OP - the code would validate on the firewall (when configuring/checking time offset) but would not validate in the VPN client. I reset the Sophos Connect configuration on the firewall and recreated it with OTP already enabled - and it worked immediately afterwards.

  • In reply to DavidRa:

    Hello David,

     

    We have released Sophos Connect 1.3 EAP1. Please upgrade and try it out.

     

    Ramesh

  • In reply to rmk_2018:

    Hi Ramesh,

     

    I have exactly the same issue and tried all options as described in this topic, however no success. 

    Steps taken:

    Enabled the multi factor (with google authenticator)
    Recreated the Connect Client configuration
    Tested with the default settings (so no multi factor) --> no issues
    Tested with adding the code behind the password, doesn't work
    Tested with the changed config throught the admin (to type code seperately), doesn't work
    Downloaded the new client (MAC version) and tried all of the above, same results

    Maybe I'm missing some setting, but I'm lost, maybe you can help. 
    (PS when logging on to the portal itself, multi factor is working)

    Thanks,

    Johan