enable 2FA with local administrators

Hi mohammed kassouat ,

Thank you for reaching out to the community, you can enable for Multi-factor authentication (MFA) for default admin, You can also refer the Profile Management for Device Access in Sophos Firewall, and Configure MFA with an authenticator app.

Hi Vivek,

Thank you for your previous response.

To clarify my situation further, I've created three new local user accounts and assigned them the administrator group. The default admin account remains untouched and serves as a backup.

My current concern:

Enabling MFA with token generation for the new admin users results in a "Login failed" error when they try to log in with their credentials.

My Questions:

1. Does using MFA require a separate license on Sophos Firewall? From my understanding, it shouldn't.
2. Could there be specific configuration steps for local users with MFA? The documentation I reviewed might not have addressed this scenario clearly.

Request:

I'd appreciate any insights or troubleshooting tips you can offer to resolve this login failure issue specifically with the newly created local admin users and MFA.

Thanks,

Hi mohammed kassouat The user/administrator for which MFA is enabled must enter the password in <password><passcode> format.  So if this is getting followed correctly by end users while entering the password but still it is giving login failed then try to "Synchronize token time offset" once and see how it goes.

For "Synchronize token time offset" steps are given in the below help section:

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/OneTimePassword/index.html#actions

If any of the above steps not helping then access_server service (Authentication service) debug logs will give some clue. 

The command for service debug start (the same command can be used to revert service from debug):

#service access_server:debug -ds nosync (sync in HA)

To check and confirm the status of access_Server service is in debug or not:

#service -S | grep "access_server"

If no clue from logs or want to review more then I would suggest opening a support case to drive it further.