Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

enable 2FA with local administrators

Hi team,

I'm reaching out regarding an issue I'm encountering while setting up Multi-Factor Authentication (MFA) with tokens on our Sophos Firewall.

  • I have three administrators on the firewall.
  • I've enabled the "Generate OTP token with next sign-in" option for MFA.
  • However, when administrators try to log in with their usernames and passwords, they receive a "Login failed" error.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Vivek,

    Thank you for your previous response.

    To clarify my situation further, I've created three new local user accounts and assigned them the administrator group. The default admin account remains untouched and serves as a backup.

    My current concern:

    Enabling MFA with token generation for the new admin users results in a "Login failed" error when they try to log in with their credentials.

    My Questions:

    1. Does using MFA require a separate license on Sophos Firewall? From my understanding, it shouldn't.
    2. Could there be specific configuration steps for local users with MFA? The documentation I reviewed might not have addressed this scenario clearly.

    Request:

    I'd appreciate any insights or troubleshooting tips you can offer to resolve this login failure issue specifically with the newly created local admin users and MFA.

    Thanks,

  • Hi  The user/administrator for which MFA is enabled must enter the password in <password><passcode> format.  So if this is getting followed correctly by end users while entering the password but still it is giving login failed then try to "Synchronize token time offset" once and see how it goes.

    For "Synchronize token time offset" steps are given in the below help section:

    https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/OneTimePassword/index.html#actions

    If any of the above steps not helping then access_server service (Authentication service) debug logs will give some clue. 

    The command for service debug start (the same command can be used to revert service from debug):

    #service access_server:debug -ds nosync (sync in HA)

    To check and confirm the status of access_Server service is in debug or not:

    #service -S | grep "access_server"

    If no clue from logs or want to review more then I would suggest opening a support case to drive it further.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.