Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

disable MFA for captive portal

Referring to this thread discussion.  MFA on web authentication 

When this setting is used, MFA is not prompted for client VPN users. VPN users can login with username and password only. No MFA required.

When "No OTP" is changed to "Specific Groups" MFA is asked for both captive portal and VPN users.

How to enable MFA for VPN users alone, not for captive portal users.



This thread was automatically locked due to age.
Parents
  • Hi  With the option"Generate OTP token with next sign-in" enabled, it will auto-enable the MFA check box in the user portal, so the end user may sign in to the VPN or user portal and scan the QR code using the authenticator app and this process will auto Generate OTP token for that respective user.

    As per the current working design, once MFA is enabled for the User Portal, it will auto-enable MFA for the Captive portal and CAA (client authentication agent) authentication-based methods. (This is a kind of hard-coded setting).

    So if you opt to turn off the automatic creation of OTP tokens which will allow you to uncheck "User Portal" from MFA settings, you must be required to configure OTP tokens manually for all users under "Issued tokens" for which you want MFA  over VPN.



    Another possibility I can think of is to leave the previous settings as it is until all users login 1st time to the user portal or VPN portal to scan the QR code to generate the OTP token automatically and once this is done by all users you may disable the MFA for the user portal..! 

    However, if you want an option where enabling MFA on the user portal should not enable MFA for the Captive portal and CAA then that will be a kind of feature request as mentioned in a previous comment by my colleague  !

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hi  With the option"Generate OTP token with next sign-in" enabled, it will auto-enable the MFA check box in the user portal, so the end user may sign in to the VPN or user portal and scan the QR code using the authenticator app and this process will auto Generate OTP token for that respective user.

    As per the current working design, once MFA is enabled for the User Portal, it will auto-enable MFA for the Captive portal and CAA (client authentication agent) authentication-based methods. (This is a kind of hard-coded setting).

    So if you opt to turn off the automatic creation of OTP tokens which will allow you to uncheck "User Portal" from MFA settings, you must be required to configure OTP tokens manually for all users under "Issued tokens" for which you want MFA  over VPN.



    Another possibility I can think of is to leave the previous settings as it is until all users login 1st time to the user portal or VPN portal to scan the QR code to generate the OTP token automatically and once this is done by all users you may disable the MFA for the user portal..! 

    However, if you want an option where enabling MFA on the user portal should not enable MFA for the Captive portal and CAA then that will be a kind of feature request as mentioned in a previous comment by my colleague  !

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children