Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 3 answers
  • Subscribers 44 subscribers
  • Views 19382 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Client with OTP

Dirk Sterzenbach

Hi,

I like the new feature of a free IPSEC client introduced with 17.5. As far as In know the CPU load of IPSEC-VPN on the gateway is much lower. I have just tested it and I experienced one issue which somebody else might have discovered.

Sophos connect client without OTP for local user authentication: Working fine, connection establised quickly and network behind XG reachable.

Then I activated OTP for the user on the XG and re-configured the connection with Sophos connect admin, simply activated "Prompt for 2FA": Unfortunately it does not connect, an authentication error occurs. Checking the VPN log I found all entries comperable until an authenication is logged:

[IKE] <IPSEC_VPN | 10> Xauth authetication of 'user' (myself) failed.

Of course without OTP the authenication at that point is successful. Anyone who has successfully used Sophos Connect client with OTP?

BTW: Use of OTP with SSL VPN was succesful, the OTP has to be added directly to the password. So can't be a problem with OTP in general.

Cheers
Dirk



This thread was automatically locked due to age.
Parents
  • 0

    Hi Dirk,

    It does work with OTP, first you would need to enable for IPsec Remote access which is enabled by default. Then simply use Sophos Authenticator and sync with QR code in the user portal. 

    The configuration file is the same for all users which is downloaded from admin web console along with the setup. Enter the username and password (password + otp).

    Refer KBA-> community.sophos.com/.../125228

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    This should not be suggested answer as it does not address what's being experienced. The OTP is setup fine and we use it extensively for the "legacy" SSLVPN client without issues and OTP authenticates fine with user portal. 

     

    When using Sophos Connect with customized config file to prompt for MFA the code does not work. Once we load a config that does not prompt for OTP it works perfectly fine.

     

    Either there is a bug with Sophos Connect not accepting OTP or Dir and I are missing something.

     

    Please Help! :)

  • 0 in reply to Brad Dworkin

    Brad is absolutely correct, my tests with the same user on a XG also shows:

    • SSL VPN with OTP working fine (OTP code entered directly after the password)
    • Sophos IPSec Client without OTP working fine
    • Sophos IPSec Client with OTP not working (config file adjusted be means of Sophos connect admin: acivated prompt for 2FA

    @Aditya: Thanks for your reply! I am familiar with activating OTP since I am using it for SSL VPN with my customers. I re-ckecked and also follwed the guidelines from here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html

    But I still do end up with an authentication error ([IKE] <IPSEC_VPN | 10> Xauth authentication of 'user' (myself) failed.

    Any idea or suggestion?

    Dirk

  • 0 in reply to Dirk Sterzenbach

    Hello Dirk,

     

    Was checking this thread and I wanted to know if the problem with OTP and Sophos Connect got resolved? Please let me know.

     

    Ramesh

Reply Children
Unfiltered HTML