Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 - MFA Loop

phi IT-Services GmbH

Hello Sophos Community,

I have a problem with the Sophos UTM 9 firewall and the setup with MFA.

Key data:

- Sophis UTM 9 (SG230) - version: 9.713-19

- The OTP setting under Authentication Services is enabled

- Only one user was added for the test

- The setting Auto-create OTP tokens for users is set

- OTP is enabled for User Portal and SSL VPN

When the user logs into the portal (username+password), the prompt to scan the QR code appears in the next window. After scanning and clicking on the Continue with login button, I land again on the user portal and am asked to enter my login data again. I enter username+password again and attach the MFA code behind the password.

After logging in, I am asked to scan the QR code again. And now I'm in a loop. The problem also occurs when I log in with just a username+password or just append random numbers to the password.

In the WebAdmin portal, however, I can see under OTP token that the key for the user has been created automatically. I've already restarted the firewall and installed the latest firmware but unfortunately no improvement. Do you have another idea?

Kind regards

Kevin



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, may we know which authenticator app you are using for scanning  the QR code ? 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

    • 0

      Hi Kevin,

      Good day and thanks for reaching out to Sophos community and hope you are well.

      Few Queries:

      -Kindly verify if you have followed all steps as per this kb: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesOneTimePassword.htm

      -Also if possible can you show result of aua.log while encountering the issue? under Shell run tail -f /var/log aua.log

      -And may we verify what authenticator app you are using?

      Kindly let us know. Many thanks have a nice day ahead and thank you for choosing Sophos

      Cheers,

      Raphael Alganes
      Global Community Engineer, Support & Services
      Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
      If a post solves your question, please use the 'Verify Answer' button.

      The award-winning home for Sophos Support videos! - Visit Sophos Techvids

      • 0 in reply to Raphael Alganes

        Hello Vivek Jagad, hello Raphael Alganes,

        thank you for the message. I use the Google Auth app. Here is the excerpt from the aua.log:

        Fullscreen
        1
        2
        3
        4
        5
        6
        2023:01:17-14:32:13 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
        2023:01:17-14:32:13 remote aua[3302]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
        2023:01:17-14:32:13 remote aua[3302]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"
        2023:01:17-14:32:47 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
        2023:01:17-14:32:47 remote aua[3375]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
        2023:01:17-14:32:47 remote aua[3375]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        Kind regards

        Kevin