Sophos SSL-VPN with MFA client password save

Hi Vivek,

Indeed, this is the behaviour. Clients see the "save credentials" option and they want to use it, but it always fails since the OTP is expired after the first time.

You post states that: "This is a known issue". Is this issue also being addressed and is there any perspective on a change?

An ability to separately enter the OTP would be a good solution.

Looking forward,
Niels

Hi Vivek,

Indeed, this is the behaviour. Clients see the "save credentials" option and they want to use it, but it always fails since the OTP is expired after the first time.

You post states that: "This is a known issue". Is this issue also being addressed and is there any perspective on a change?

An ability to separately enter the OTP would be a good solution.

Looking forward,
Niels

I am afraid as of now this is a known behavior, it available here - https://docs.sophos.com/support/kil/index.html > Choose your product: Sophos Connect - ID - NCL-1391

Thanks, guess we have to start looking for third party clients.

Hi Niels,

I think there is a misunderstanding here. Vivek Jagad  Talks about the first time connect when there are two separate logons, first to to the userportal and second to the vpn. The second fails with the first otp.

You have a differnt problem, after entering username, password+OTP your clients select save username and password, but this is with OTP.

So the password say "password123456" is saved and that will not work the next time they logon.

You can solve this. The Sophos Connect client is able to show a separate OTP field, so there will be a username filed, password field, and a OTP field. saving user+passwd will work then.

The problem here is, how to add the OTP field?

When you use a provision file .pro it easy just add "otp": true,

[
{
"display_name": "Name of VPN",
"gateway": "ip or dns",
"user_portal_port": 4443,
"otp": true,
"2fa": 0,
"can_save_credentials": true,
"check_remote_availability": false,
"run_logon_script": false
}
]

Edit the fields with your info and save as name.pro import (ore just double click) this in the client. Using this method has some other nice benefits to.

With the config file from the userportal this not passible as far as i know.

Maybe someone from staff knows? LuCar Toni 

Succes!

Bart

Hi Bart,

Thanks! This was exactly what I needed, I will start testing this.

Looking forward to a reply from Sophos staff about efficient deployment. I have to do 100+ accounts and only a few of them are managed by AD.

Thanks for keeping this topic alive, kind regards,

Niels