Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unsatisfactory implementation of provisioning + OTP in Sophos Connect client

Unfortunately, I had to find the following problems regarding OTP + SSL VPN (for me pretty useless regarding the provision feature):

General:

- User without (manual) first login (without existing OTP) are not supportet -> no login possible without OTP if in client is OTP is activated -> provisioning not usable (if the user has to login in the user portal first, why should i use the provisioning?)
- why is not just the QR code is showing in the client on first login?

Provisioning with OTP:

- a user (already has OTP) can not use provisioning without error on first login:
the client is login in the user portal, gets the config, direct after (!) the client tries to connect to the new SSL VPN -> login failed IN ANY CASE (as the name says OTP can used only one time), the client do (2) logins with provisioning (download the config and login again for connection) -> the DEVs ever testet?

- LOG during provisioning -> user portal logon OK + SSL VPN failed (within some seconds)

- no option to configure the client "do just one login and download the config without 
immediate connection"

- I can not tell the user "use the provisioning and login, just ignore the error message, but when you have a new OTP after 30 sec. you can connect"

- it is not possible to use the user portal without OTP and SSL VPN with OTP (or vice versa) -> provisoning (user portal + SSL VPN connection) can only use OTP for all or nothing


Version 2.2.90.1104 / XGS 19.5

Provisioning File:

[
{
"gateway": "vpn.gate.xxxxxx",
"user_portal_port": 443,
"otp": true,
"2fa": 1,
"can_save_credentials": true,
"auto_connect_host": false,
"can_save_credentials": true,
"check_remote_availability": false,
"run_logon_script": false
}
]



This thread was automatically locked due to age.