Thread Info
  • State Verified Answer
  • Replies 13 replies
  • Subscribers 40 subscribers
  • Views 1795 views
  • Users 0 members are here
Options
Suggested

Sophos Connect: MFA box parameter in .ovpn files?

Quallensaft

Is there any way to activate the MFA box at login in Sophos Connect direct in a .ovpn config (no provisioning)?

I guess with provisioning the firewall will also only create a .ovpn config with a parameter for MFA.




client
dev tun
proto udp
verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_R3i4MjKOeECloSs, emailAddress=na@example.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
....
</key>
auth-user-pass
cipher AES-128-GCM
auth SHA256
comp-lzo no
;can_save no
;otp no ???
;run_logon_script no
;auto_connect
route-delay 4
verb 3
reneg-sec 0
remote xxxxxxxxxx 443
explicit-exit-notify



Added TAGs
[edited by: Erick Jan at 2:26 PM (GMT -7) on 22 Mar 2024]
  • 0 in reply to LuCar Toni

    Yes, I'd certainly like to hear about this being fixed too... it's been a problem for quite a while.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to LuCar Toni

    Same here; would love to have this fixed. We have written in our manual that on first connect after importing .pro file is is always necessary to connect twice because of this.

    Another time where sort of the same thing is happening is when the VPN-connection drops due to the key lifetime expring. Upon renewing the key the client cannot reconnect anymore due to MFA-token

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • +1 in reply to apijnappels

    So the main issue here is: SFOS does not support the same OTP for secure reasons. 

    That is the main limitation here --> We are looking into how to proceed here. That was also the reason for the KIL above. Reusing the same OTP for this reason could be problematic. 

    We are still looking into ways to build this. 

    __________________________________________________________________________________________________________________

Unfiltered HTML