Client Authentication reports bad credential if OTP is enabled

Hi Luk,

I will test it and update soon.

Thanks

Hi Sachin,

Replicated on GA v16, once OTP is enabled I cannot use the client authentication at all, with or without a code. Even after disabling OTP I had some residual effects for up to a minute where my credentials were still not valid to Webmin login and the client auth would hang.

Emile

When I opened this thread, after enabling the OTP, my CAA stopped to work. This time, CAA continue to work until I closed it (reboot the computer, etc...).

I thought the but was fixed...instead something has been improved but not fixed yet. [:(]

Hi all,

Resolved the issue for myself, you have to enable OTP by clicking the Settings button on the OTP tab and flicking the switch for One-Time Password:

After doing that my Client Auth Agent works perfectly fine again :)

Note: You will have to uncheck save your password as it will include the OTP creds which will be invalid after 30 seconds/use.

Edit extra: Also noticed is if you disable your token but don't disable the OTP switch, your OTP requirement will still be enforced but your OTP codes will not be valid. AlanT, something to note? Shouldn't switching off your token disable it for your user or do you have to switch off enforcement for all users/just that user and just disabling the token only removes that token as usable for the user?

Emile

Emile this is a workaround and not the solution. CAA does not work if it is set to save password.

Even if it is not safe to save password, customers want to remember the least password possible and entering the password at each login is annoying. This is still a bug, in fact Sachin or Prateek did not answer yet as fixed.

Thanks for your help!

Hi Luk,

I understand your point but saving passwords should not be part of a security scope where One Time Passwords would be enforced.

CAA will not work by saving passwords with the first time use of the OTP, that's not a bug, that's saved password functionality. This is not a workaround.

Emile

Hi Luk,

I understand your point but saving passwords should not be part of a security scope where One Time Passwords would be enforced.

CAA will not work by saving passwords with the first time use of the OTP, that's not a bug, that's saved password functionality. This is not a workaround.

Emile

OTP should be available for different authentication mechanisms. It does not make sense that enabling user portal, it affects even CAA. So let us decide on which authentication process the OTP must be applied.

OTP is something that is needed externally and recommended internally.

Hi Luk,

As of now access server validates OTP password for User Portal, Captive Portal and CAA when OTP is enabled for the "User Portal" facilities.

I agree that we should be having separate Option to enable this facility. Taken in consideration under NC-10494.

Thanks

Thank you Sachin. The option must be separated...also it does not make sense that even Captive Portal won't work...

Please add a warning inside the XG (in the actual version until you fixed it) where the Admin enable the User Portal...OTP will be enabled even for .....Customers do not know if they do not contact the Sophos support or expert Partner. Mine is an advice.

Thanks

Hi All,

any news on it?

Thanks

Hi Luk,

No ETA yet.

Thanks

Sachin,

at the moment OTP is useless.