This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force Users using One Time Password OTP

Hello.

We enabled OTP for some users for userportal, SSL and IPSec VPN. The user has to login to the user portal the first time and scan the automatically generated QR code.

Thought, every user in the OTP list needs to activate its OTP to use VPN. But it seems the users can use VPN forward with their "normal credentials" without OTP because they just do not login to userportal so their QR code won't be generated. Is that right that users could login to VPN further without OTP until they login to user portal first time? And if so, could we "block this" in some way to force users to login and generate their code?

Thanks.



This thread was automatically locked due to age.
Parents
  • Hello Horsting,

    Thank you for contacting the Sophos Community.

    If you select the option of Auto-create OTP tokens for users, once the user tries to connect to the SSL  VPN, it’ll generate the Auto-Generated token, and user will not be able to log in.

    You should be able to see in  the access_server.log the following message 

    MESSAGE Oct 27 13:54:16.203729 [OTP_AUTH]: (otp_handle_complete_password_success_request): REJECT6 for user otp (user should have used OTP but didn't do it, didn't use User Portal, has generated token)

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello Horsting,

    Thank you for contacting the Sophos Community.

    If you select the option of Auto-create OTP tokens for users, once the user tries to connect to the SSL  VPN, it’ll generate the Auto-Generated token, and user will not be able to log in.

    You should be able to see in  the access_server.log the following message 

    MESSAGE Oct 27 13:54:16.203729 [OTP_AUTH]: (otp_handle_complete_password_success_request): REJECT6 for user otp (user should have used OTP but didn't do it, didn't use User Portal, has generated token)

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • Hello emmosophos,

    thanks for reply.

    Yes, we selected Auto-Create OTP. And for OTP activation we have choosen:
    - Userportal
    - IPsec Remote Access
    - SSL-VPN

    I wanted to have a look at access_server.log but couldn't find it. Dowanloaded all logs from Webinterface but no such file:

    acm.log
    afc.log
    aptp.log
    aua.log
    awslogsd.log
    boot.log
    confd.log
    device-agent.log
    dhcpd.log
    endpoint.log
    eplog.log
    epsecd.log
    fallback.log
    ftp.log
    high-availability.log
    hotspot.log
    html5vpn.log
    http.log
    httpd.log
    identd.log
    ips.log
    ipsec.log
    ipv6.log
    kernel.log
    letsencrypt.log
    logging.log
    login.log
    mdw.log
    named.log
    notifier.log
    openvpn.log
    ospf.log
    packetfilter.log
    pop3.log
    pppd.log
    pppoa.log
    pppoe.log
    pptpd.log
    red.log
    restd.log
    reverseproxy.log
    selfmon.log
    service_monitor.log
    smc.log
    smtp.log
    sockd.log
    sshd.log
    system.log
    uma.log
    up2date.log
    user_prefetch.log
    wireless.log
    xorp.log

    May the log file you metioned be just available in Sophos XG? We have just SG (what for example makes a difference when trying to raise the automatically 4 hours timeout for OTP, which is not possible in SG but in XG, but this only by the way).

    In webinterface defintions and users -> authentication services -> one time password there is an overview of all users and their OTP token. Could we export this in some way? So we could compare the users in this list with the users in the AD group which is read out for OTP configuration (we did'n select the "all users must use OTP" option in the beginning of the rollout).

    Thanks for your help.

  • Hello there,

    Thank you for the Follow Up.

    I will be moving this thread to the correct Community Group (UTM).

    If it is the UTM the same happens, I initially created the user "otp" access the User Portal download the SSL VPN configuration, connected to the SSL VPN, then disconnected, next I enabled OTP for this user, tried to connect and got the below.

    2021:10:28-16:57:30 utm1 aua[27604]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="99.XXX.XXX.XX" host="" user="otp" caller="openvpn" reason="DENIED"

    You can see this under the aua.log

    Make sure that Auto-Create OTP token for users is enabled. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • thanks for the reply. found a lot of entries in this log and now i can look for the special users. thanks again!!

  • Hello, it's me again Slight smile

    Just today response from one user:
    - OTP was activated for this user two months ago (september).
    - Today user says that he could not login to VPN.
    - Had a look in the aua.log and found DENIED entry.
    - But user says that he could login to VPN all the last days and weeks WITHOUT using one time pw..
    - So I had a look into all aua logs from october and there was no DENIED entry for this user.
    --> Seems that the user could use VPN without OTP although it was activated...

    - Auto-Create OTP option is activated.
    - The user uses IPsec VPN.

  • Hello Horsting,

    Thank you for the update.

    Do the logs in October show that the user actually disconnected at some point and reconnected?

    I would suggest you open a case if you know of another user having this issue, so it can be investigated further

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks Emmanuel, opening a case would be the best but it's not so easy because we can't tell a special username in combination with concrete date and time because, as I mentioned already, we activated OTP for a handful of users but didn't get feedback. Just weeks or months later some users call and say "today I can not connect to VPN but the last days/weeks it worked fine". And when we ask "did you already scan the QR code and activate the OTP?" the user say "no it worked all the time without OTP". Thats the reason why we asked here in forum becaus we thought that once OTP is activated the user can not connect without it but seems that connection without OTP will still work (for a pariod of time after activation) if the users tell us "the truth"... :-)

    Maybe the problem is solved when we activate the option "OTP FOR ALL USERS" and do not use the different user groups...