Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MFA for SSL VPN but not for Captive Portal

Hi, 

We have enabled MFA for our SSL VPN users, however that has meant that it has been enabled for the Captive Portal as well.  We really do not want to have users authenticate to the captive portal with MFA, in fact we would really prefer an SSO solution since we get many tickets generated with users struggling to login to the Captive portal when we reboot the firewall after upgrades.  

We have implemented STAS and everything seems to be working.  All tests when we query workstations are successful, we see live users populate etc.  However users are still being forwarded to captive portal.  We opened a ticket but the tech wasn't sure if STAS works with MFA.  

Any help would be greatly appreciated.  



This thread was automatically locked due to age.
  • Hi Levent Onen,

    Please navigate to CONFIGURE--->Authetication --->Multi-factor authentication  and check Multi-Factore authentication (MFA)settings 

    If you have enabled One-time password (OTP) for all the users you have to authenticate all the users with MFA

    You can select "No OTP" and Click on Apply and check to resolve your issue : 

    Hope this resolve your issue.

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • OTP should not conflict with internal firewall authentication.
    If you disable "Use web authentication for unknown users" in FW-Rule and users are still not recognized, STAS will not work properly.

    Disabling 2FA cannot be the solution.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • STAS does not do MFA.

    Captive Portal does use MFA. The firewall considers Captive Portal as User Portal, which will be always active for MFA. 

    __________________________________________________________________________________________________________________

  • Thanks for the suggestion but as clearly stated in my original post we did enable OTP and we would like to keep it.  We do not want to use OTP for internal authentication to the firewall.  

  • OK I understand captive is considered user and needs MFA if enabled.  

    My question is, if MFA is enabled, can't we use STAS to authenticate us to the firewall avoiding captive portal altogether.  

    In summary: 

    1/ We want to enable MFA and use it for SSL VPN and User portal. 

    2/ We want to authenticate users seamlessly using STAS when they are inside the local environment. 

    Thanks.