Force Users using One Time Password OTP

Hello Horsting,

Thank you for contacting the Sophos Community.

If you select the option of Auto-create OTP tokens for users, once the user tries to connect to the SSL  VPN, it’ll generate the Auto-Generated token, and user will not be able to log in.

You should be able to see in  the access_server.log the following message 

MESSAGE Oct 27 13:54:16.203729 [OTP_AUTH]: (otp_handle_complete_password_success_request): REJECT6 for user otp (user should have used OTP but didn't do it, didn't use User Portal, has generated token)

Regards,

Hello emmosophos,

thanks for reply.

Yes, we selected Auto-Create OTP. And for OTP activation we have choosen:
- Userportal
- IPsec Remote Access
- SSL-VPN

I wanted to have a look at access_server.log but couldn't find it. Dowanloaded all logs from Webinterface but no such file:

acm.log
afc.log
aptp.log
aua.log
awslogsd.log
boot.log
confd.log
device-agent.log
dhcpd.log
endpoint.log
eplog.log
epsecd.log
fallback.log
ftp.log
high-availability.log
hotspot.log
html5vpn.log
http.log
httpd.log
identd.log
ips.log
ipsec.log
ipv6.log
kernel.log
letsencrypt.log
logging.log
login.log
mdw.log
named.log
notifier.log
openvpn.log
ospf.log
packetfilter.log
pop3.log
pppd.log
pppoa.log
pppoe.log
pptpd.log
red.log
restd.log
reverseproxy.log
selfmon.log
service_monitor.log
smc.log
smtp.log
sockd.log
sshd.log
system.log
uma.log
up2date.log
user_prefetch.log
wireless.log
xorp.log

May the log file you metioned be just available in Sophos XG? We have just SG (what for example makes a difference when trying to raise the automatically 4 hours timeout for OTP, which is not possible in SG but in XG, but this only by the way).

In webinterface defintions and users -> authentication services -> one time password there is an overview of all users and their OTP token. Could we export this in some way? So we could compare the users in this list with the users in the AD group which is read out for OTP configuration (we did'n select the "all users must use OTP" option in the beginning of the rollout).

Thanks for your help.

Hello emmosophos,

thanks for reply.

Yes, we selected Auto-Create OTP. And for OTP activation we have choosen:
- Userportal
- IPsec Remote Access
- SSL-VPN

I wanted to have a look at access_server.log but couldn't find it. Dowanloaded all logs from Webinterface but no such file:

acm.log
afc.log
aptp.log
aua.log
awslogsd.log
boot.log
confd.log
device-agent.log
dhcpd.log
endpoint.log
eplog.log
epsecd.log
fallback.log
ftp.log
high-availability.log
hotspot.log
html5vpn.log
http.log
httpd.log
identd.log
ips.log
ipsec.log
ipv6.log
kernel.log
letsencrypt.log
logging.log
login.log
mdw.log
named.log
notifier.log
openvpn.log
ospf.log
packetfilter.log
pop3.log
pppd.log
pppoa.log
pppoe.log
pptpd.log
red.log
restd.log
reverseproxy.log
selfmon.log
service_monitor.log
smc.log
smtp.log
sockd.log
sshd.log
system.log
uma.log
up2date.log
user_prefetch.log
wireless.log
xorp.log

May the log file you metioned be just available in Sophos XG? We have just SG (what for example makes a difference when trying to raise the automatically 4 hours timeout for OTP, which is not possible in SG but in XG, but this only by the way).

In webinterface defintions and users -> authentication services -> one time password there is an overview of all users and their OTP token. Could we export this in some way? So we could compare the users in this list with the users in the AD group which is read out for OTP configuration (we did'n select the "all users must use OTP" option in the beginning of the rollout).

Thanks for your help.

Hello there,

Thank you for the Follow Up.

I will be moving this thread to the correct Community Group (UTM).

If it is the UTM the same happens, I initially created the user "otp" access the User Portal download the SSL VPN configuration, connected to the SSL VPN, then disconnected, next I enabled OTP for this user, tried to connect and got the below.

2021:10:28-16:57:30 utm1 aua[27604]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="99.XXX.XXX.XX" host="" user="otp" caller="openvpn" reason="DENIED"

You can see this under the aua.log

Make sure that Auto-Create OTP token for users is enabled. 

Regards,

thanks for the reply. found a lot of entries in this log and now i can look for the special users. thanks again!!

Hello, it's me again

Just today response from one user:
- OTP was activated for this user two months ago (september).
- Today user says that he could not login to VPN.
- Had a look in the aua.log and found DENIED entry.
- But user says that he could login to VPN all the last days and weeks WITHOUT using one time pw..
- So I had a look into all aua logs from october and there was no DENIED entry for this user.
--> Seems that the user could use VPN without OTP although it was activated...

- Auto-Create OTP option is activated.
- The user uses IPsec VPN.

Hello Horsting,

Thank you for the update.

Do the logs in October show that the user actually disconnected at some point and reconnected?

I would suggest you open a case if you know of another user having this issue, so it can be investigated further

Regards,

Thanks Emmanuel, opening a case would be the best but it's not so easy because we can't tell a special username in combination with concrete date and time because, as I mentioned already, we activated OTP for a handful of users but didn't get feedback. Just weeks or months later some users call and say "today I can not connect to VPN but the last days/weeks it worked fine". And when we ask "did you already scan the QR code and activate the OTP?" the user say "no it worked all the time without OTP". Thats the reason why we asked here in forum becaus we thought that once OTP is activated the user can not connect without it but seems that connection without OTP will still work (for a pariod of time after activation) if the users tell us "the truth"... :-)

Maybe the problem is solved when we activate the option "OTP FOR ALL USERS" and do not use the different user groups...