Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 487 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MFA Failures

Lee Goldman

We have MFA set up for Access to the UTM.  This weekend we had a core switch failure which blocked access to the internal Radius servers and thus could not gain access to the firewall management.  On Cisco and Palo firewalls there is a setting that allows to fail to local passwords if the Radius server is not accessible.  Is there a similar setting on the UTM?  This way we can fail to Single Factor and Local passwords if the radius server is unreachable?



This thread was automatically locked due to age.
Parents
  • 0

    Greetings, Lee, and welcome to the UTM Community!

    In 'Management >> WebAdmin Settings', just add the local user(s) in 'Allowed Administrators'.  In general, I recommend that only one person know the password for the "admin" account, and that will always get you into WebAdmin.

    As for 'Allowed Networks', get rid of "Any" if it's there and be as stingy as possible with IPs you allow to access WebAdmin.  My clients all have a DNS group object that uses an FQDN for my IPs similar to supportaccess.sophos.com.  In addition, the "(User Network)" object for my user is included in case I need to access from somewhere else.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Greetings, Lee, and welcome to the UTM Community!

    In 'Management >> WebAdmin Settings', just add the local user(s) in 'Allowed Administrators'.  In general, I recommend that only one person know the password for the "admin" account, and that will always get you into WebAdmin.

    As for 'Allowed Networks', get rid of "Any" if it's there and be as stingy as possible with IPs you allow to access WebAdmin.  My clients all have a DNS group object that uses an FQDN for my IPs similar to supportaccess.sophos.com.  In addition, the "(User Network)" object for my user is included in case I need to access from somewhere else.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML