Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 17235 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Users cannot login with OTP

Peter Vroegop

Hi,

 

We using UTM software version 9.508-10

Our remote users must use OTP to create a SSL VPN connection through the Sophos SSL VPN Client.

This morning a user is succesfully loged in a number of times.

I had to create a new remote user.
After this is done the new user can succesfully login to the Userportal.
After this I set this user to use OTP
When The user logs in to the userportal the QR code of the OTP token appears.
After scanning the code in the sophos authenticator app we continues the login.
Now as I login to the userportal I got the error wrong password username,or access denied by policy.
When I login through the VPN client I ge non authentication.

When I disable OTP for this user I can succesfully login to the userportal ans the VPN Client with only the users password.

When I test this to other users I have the same problem :(
Even the user whice earlier this morning could succesfully login cann't authenticated by using OTP.

Somebody a clue?



This thread was automatically locked due to age.
  • 0

    UTM does not prompt separately for the OTP code.   The user is supposed to add it to the end of his password.

    For new users, User Portal allows one-time login (without OTP) to view the QR code.  Once established, the portal requires password and pin concatenated.

    When a user gets a new phone, the preferred behavior is to use the OTP code from the old phone to log into User Portal and display the QR code for the new phone.   But of course, this never happens.  Instead, the one-time login can be re-enabled using WebAdmin... Authentication Services... OTP.   Find the user in the list, and click the reset icon, which is an arrow running around in a circle.   If the user is in your presence, you can click the info button ("i") on the right margin to display his OTP code from within WebAdmin.

    For WAF, I customized the login page to do a three-field login, which makes like easier for our users.  UTM does not permit customizing the User Portal login

  • 0 in reply to DouglasFoster

    Thanks for the answer Douglas,

    However we got a wrong diagnostic.

    Futher investigation learns us the problem is with one users phone.

    We use the sophos autheniticator and the sophos soft token.

    This new user logged in at the userportal and scanned the QR code of his token.

    After that He was unable to login with OTP from his phone.

    Without OTP he was able to login with only his password.

    We scanned his softtoken on another phone with the sophos authenticator installed and could succesfully logon with OTP

    We give the user a new token without any success.

    We scanned a token of an user whice logn for a long time.

    On the phone of the new user we are unable to logon.

    It look likes the sophos authenticator or the phone of the new user is not working fine.

    This phone is a Huawei Y7.

    Somebody a clue?

  • +1 in reply to Peter Vroegop

    Tokens depend on correct time of day, to keep the server and phone synchronized.   

    • Does the phone show the correct time?  Phones are normally set to synchronize time with the cellular network, but I think this can be overridden in settings.   I have not tried this, but I would expect that if you put multiple phones  side-by-side, the code rollover should change simultaneously on all of them (if they all have the correct time).

    • Does the server have the correct time of day, and is the time server successfully synchronizing with an external clock source?

    There are also parameter in OTP setup to allow for clock skew, particular "Maximum passcode offset".

     

     

  • +1 in reply to Peter Vroegop

    DouglasFoster should be right.

    If you compare the number on the non working phone with the phone that is working you should see different numbers.

    Usually one of my first troubleshooting steps is to go in the management portal scan the user's code with my phone and compare the numbers with him. Second step ist to enter the number in the management portal to see if the number is recognized without any delay. If there is a delay the phone has either the wrong timezone, manual clock setting, wrong summer time, ... Resolve the issue on the phone and do not try to correct it by a time offset. Otherwise there is a high chance that the error comes back e.g. if the users switches from manual to automatic time setting.

  • 0 in reply to BeEf

    Hi,

     

    BeEF and DouglasFoster, You were bouth right.

    The users Phone displayed the right time, however the setting was GMT+3 However we are in GMT+2, the differency of 1 hour was corrected by the not activated daylightsaving time.

    The user is right back of a trip around the world ans had not correctly set his time.

    So the time is set to automaticly (using network) and the problem is solved.

     

    Thank you both very much

    Bets regards,

    Peter Vroegop

Unfiltered HTML