Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 1590 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2FA + CAA on Linux or MacOS clients - poor usability

LHerzog

Hello,

we have Linux with Sophos Antivirus and MacOS Clients with Intercept X installed.

On the firewall we have many rules with userauthentication (and heartbeat) required.

We enabled 2FA for many users to secure our SSL VPN.

The users are required to authenticate against the firewall.

Windows machines have (almost) no issues as Intercept-X does the heartbeat and userauthentication.

Linux Clients and Mac Clients need to use CAA. CAA apparently authenticates against the user portal. That has the big disadvantage that 2FA is required, because user portal requires 2FA.

On Linux clients it is a real pain because the credentials need to be stored in a file on the disk, including 2FA. After authentication with CAA, the credentials in the file will be encrypted.

When a Mac Clients is connected to WiFi and runs on battery, is locked and enters sleep mode, is unlocked it would normally re-authenticate with CAA  authomatically - but because 2FA is required, the OTP code used before is now invalid, the user needs to reauthenticate the full
process manually with CAA. At least with a GUI.

Same for linux - a config file and a binary that needs to be run on a terminal.

We need to split CAA authentication from 2FA.

Combining user authentication and CAA with the user portal is a PIA, this need a dedicated service.



This thread was automatically locked due to age.
  • 0

    Hi : You may check with your partner and SE for this Feature Request, so they may represent your use case to the PM team and may add a vote on existing FR (SFSW-I-1182).

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Hi,

    Vishal I did that.

    I guess nobody, probably not even at Sophos ever used Linux in combination with user authentication against a firewall with CAA and 2FA.

    To store the password together with the 2FA code in a text file each time you authenticate - that is simply poor.

    Our users scripted that to automate that a little bit. You could hire one of them to improve the Sophos CAA for Linux.

  • 0 in reply to LHerzog

    One of the core viewpoints by Sophos right now is, Linux is one of the systems, we are seeing as a Server OS, not a Client OS. Therefore many of the systems in place right now are build for the server parts. 

    One of the points to tackle this in the future would be to migrate to a browser based approach and using something like captive portals and other tools. But right now, you will see some difficulties in the systems by using a client based linux system. 

    The market reflected most likely this by switching to MacOS. So most developers, if they want to use linux, they fallback to MacOS. Because linux is a nightmare in general to "administrate in a secure manner". 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you LuCar for your input here. I already received an answer from one of your SE colleagues. So it's unfortunately most unlikely that there will be changes to CAA authentication in the future.

    In our use case here, we don't need 2FA for CAA Auth. But as long as CAA uses the userportal (that is what we think it does, although contacts to 1.2.3.4 IP Address) customers will be required to do 2FA against it. On the other hand, Windows clients do not need 2FA for user authentication by intercept-X Client.

    This difference in Sophos authentication between the two (or three) OS makes not so much sense to us.

Unfiltered HTML