Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect: MFA box parameter in .ovpn files?

Is there any way to activate the MFA box at login in Sophos Connect direct in a .ovpn config (no provisioning)?

I guess with provisioning the firewall will also only create a .ovpn config with a parameter for MFA.




client
dev tun
proto udp
verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_R3i4MjKOeECloSs, emailAddress=na@example.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
....
</key>
auth-user-pass
cipher AES-128-GCM
auth SHA256
comp-lzo no
;can_save no
;otp no ???
;run_logon_script no
;auto_connect
route-delay 4
verb 3
reneg-sec 0
remote xxxxxxxxxx 443
explicit-exit-notify



This thread was automatically locked due to age.
  • Yes, I'd certainly like to hear about this being fixed too... it's been a problem for quite a while.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Same here; would love to have this fixed. We have written in our manual that on first connect after importing .pro file is is always necessary to connect twice because of this.

    Another time where sort of the same thing is happening is when the VPN-connection drops due to the key lifetime expring. Upon renewing the key the client cannot reconnect anymore due to MFA-token


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • So the main issue here is: SFOS does not support the same OTP for secure reasons. 

    That is the main limitation here --> We are looking into how to proceed here. That was also the reason for the KIL above. Reusing the same OTP for this reason could be problematic. 

    We are still looking into ways to build this. 

    __________________________________________________________________________________________________________________