Client Authentication reports bad credential if OTP is enabled

Hi Luk,

I will test it and update soon.

Thanks

HI lferrara,

While enabling OTP for the user portal facility it will include User Portal , Client authentication agent (CAA) and Captive Portal ( web client ).

So i think you are trying to logged in with CAA without OTP code and may face this issue.

We got feedback to have separate option for all this facility under OTP settings but currently they are combined under User Portal facility.

Regards,

Sneha

Thanks Sneha,

I am using Sophos Client Authentication for MAC and OTP cannot be configure/integrated. The same will happens for Captive portal. Anyway you should separate OTP from each service authentication and let decide the customers which one to enable.

Thanks

Do not forget that an integration between OTP and Network Agent for mobile is needed. If OTP is enabled on user which uses even Company Mobile, in this case an exception is needed because Network Agent will stop working. You could allow both Network Agent and Authenticator on the same Mobile to talk, so OTP can be used safely even from Mobile.

In some installation, OTP cannot be excluded even on Mobile

Sneha,

I am on v16 GA and enabling OTP on User Portal will not disconnect the CAA. Can you confirm that?
Anyway the options under OTP are still the same one (I do not see CAA, Captive Portal check boxes).

Thanks

Hi Sachin,

Replicated on GA v16, once OTP is enabled I cannot use the client authentication at all, with or without a code. Even after disabling OTP I had some residual effects for up to a minute where my credentials were still not valid to Webmin login and the client auth would hang.

Emile

When I opened this thread, after enabling the OTP, my CAA stopped to work. This time, CAA continue to work until I closed it (reboot the computer, etc...).

I thought the but was fixed...instead something has been improved but not fixed yet. [:(]

Hi all,

Resolved the issue for myself, you have to enable OTP by clicking the Settings button on the OTP tab and flicking the switch for One-Time Password:

After doing that my Client Auth Agent works perfectly fine again :)

Note: You will have to uncheck save your password as it will include the OTP creds which will be invalid after 30 seconds/use.

Edit extra: Also noticed is if you disable your token but don't disable the OTP switch, your OTP requirement will still be enforced but your OTP codes will not be valid. AlanT, something to note? Shouldn't switching off your token disable it for your user or do you have to switch off enforcement for all users/just that user and just disabling the token only removes that token as usable for the user?

Emile

Emile this is a workaround and not the solution. CAA does not work if it is set to save password.

Even if it is not safe to save password, customers want to remember the least password possible and entering the password at each login is annoying. This is still a bug, in fact Sachin or Prateek did not answer yet as fixed.

Thanks for your help!

Hi Luk,

I understand your point but saving passwords should not be part of a security scope where One Time Passwords would be enforced.

CAA will not work by saving passwords with the first time use of the OTP, that's not a bug, that's saved password functionality. This is not a workaround.

Emile