Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
I like the new feature of a free IPSEC client introduced with 17.5. As far as In know the CPU load of IPSEC-VPN on the gateway is much lower. I have just tested it and I experienced one issue which somebody else might have discovered.
Sophos connect client without OTP for local user authentication: Working fine, connection establised quickly and network behind XG reachable.
Then I activated OTP for the user on the XG and re-configured the connection with Sophos connect admin, simply activated "Prompt for 2FA": Unfortunately it does not connect, an authentication error occurs. Checking the VPN log I found all entries comperable until an authenication is logged:
[IKE] <IPSEC_VPN | 10> Xauth authetication of 'user' (myself) failed.
Of course without OTP the authenication at that point is successful. Anyone who has successfully used Sophos Connect client with OTP?
BTW: Use of OTP with SSL VPN was succesful, the OTP has to be added directly to the password. So can't be a problem with OTP in general.
It does work with OTP, first you would need to enable for IPsec Remote access which is enabled by default. Then simply use Sophos Authenticator and sync with QR code in the user portal.
The configuration file is the same for all users which is downloaded from admin web console along with the setup. Enter the username and password (password + otp).
Refer KBA-> community.sophos.com/.../125228
In reply to Aditya Patel:
This should not be suggested answer as it does not address what's being experienced. The OTP is setup fine and we use it extensively for the "legacy" SSLVPN client without issues and OTP authenticates fine with user portal.
When using Sophos Connect with customized config file to prompt for MFA the code does not work. Once we load a config that does not prompt for OTP it works perfectly fine.
Either there is a bug with Sophos Connect not accepting OTP or Dir and I are missing something.
Please Help! :)
In reply to Brad Dworkin:
Brad is absolutely correct, my tests with the same user on a XG also shows:
@Aditya: Thanks for your reply! I am familiar with activating OTP since I am using it for SSL VPN with my customers. I re-ckecked and also follwed the guidelines from here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html
But I still do end up with an authentication error ([IKE] <IPSEC_VPN | 10> Xauth authentication of 'user' (myself) failed.
Any idea or suggestion?
In reply to Dirk Sterzenbach:
Was checking this thread and I wanted to know if the problem with OTP and Sophos Connect got resolved? Please let me know.
In reply to rmk_2018:
I'm on a buisness trip these days, but I will revert when I have re-checked the issue after the new SF-OS release 17.5.3. I guess I saw some remarks about a new version of Sophos Connect cCient with this release.
The current release of Sophos Connect is 1.2. This release is available for download with any version of v17.5.x. So please download the latest version of Sophos Connect and provide feedback if it worked for you.
Sadly, problem still exists. We love the way this looks and deploys but cannot deploy out into wild with today's security landscape if OTP does not work. It's disappointing this still is not addressed.
Anyone out there able to confirm yet if Sophos Connect VPN is compatible with OTP? In the process of rolling out new VPN on 17.5. Thanks
In reply to momentum:
Yes it is confirmed that Sophos Connect VPN is compatible with OTP. If you are using OTP with tgb file then you enter passwordOTP with NO comma or space between with password and OTP. The two are entered as a single string.
If you are using Sophos Connect Admin to configure the policy, then you will get separate prompt for OTP.
Please let us know after you give that a try.
I challenge that response. While it maybe listed as supporting OTP, it clearly is not funcitoning correctly. Whether I try via TGB or with OTP prompt it fails. It works great without it and of course on the classic SSLVPN.
I think there is some configuration or user error because I have rechecked user authentication by connecting Sophos Connect with multiple XG gateways and it works.
Setup of Sophos Connect + OTP on XG330_WP02_SFOS 17.5.3 MR-3 worked out great. AD user on win7 laptop running the Sophos Connect VPN client + Sophos Authenticator app on an ios device. No problems here so far.
In case it helps others, I found that OTP for Sophos Connect did not work if I had enabled Sophos Connect before I enabled OTP. I had the same experience as the OP - the code would validate on the firewall (when configuring/checking time offset) but would not validate in the VPN client. I reset the Sophos Connect configuration on the firewall and recreated it with OTP already enabled - and it worked immediately afterwards.
In reply to DavidRa:
We have released Sophos Connect 1.3 EAP1. Please upgrade and try it out.
I have exactly the same issue and tried all options as described in this topic, however no success.
Enabled the multi factor (with google authenticator)Recreated the Connect Client configurationTested with the default settings (so no multi factor) --> no issuesTested with adding the code behind the password, doesn't workTested with the changed config throught the admin (to type code seperately), doesn't workDownloaded the new client (MAC version) and tried all of the above, same results
Maybe I'm missing some setting, but I'm lost, maybe you can help. (PS when logging on to the portal itself, multi factor is working)