This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 - MFA Loop

phi IT-Services GmbH over 1 year ago

Hello Sophos Community,

I have a problem with the Sophos UTM 9 firewall and the setup with MFA.

Key data:

- Sophis UTM 9 (SG230) - version: 9.713-19

- The OTP setting under Authentication Services is enabled

- Only one user was added for the test

- The setting Auto-create OTP tokens for users is set

- OTP is enabled for User Portal and SSL VPN

When the user logs into the portal (username+password), the prompt to scan the QR code appears in the next window. After scanning and clicking on the Continue with login button, I land again on the user portal and am asked to enter my login data again. I enter username+password again and attach the MFA code behind the password.

After logging in, I am asked to scan the QR code again. And now I'm in a loop. The problem also occurs when I log in with just a username+password or just append random numbers to the password.

In the WebAdmin portal, however, I can see under OTP token that the key for the user has been created automatically. I've already restarted the firewall and installed the latest firmware but unfortunately no improvement. Do you have another idea?

Kind regards

Kevin

This thread was automatically locked due to age.

Top Replies

Raphael Alganes over 1 year ago in reply to phi IT-Services GmbH +3 verified

Hello, Good day and Thanks for sharing these details. please check SHA settings on under OTP if it is 265 or 512 and if Google Authenticator support such hash algorithm or falling back to SHA1, then…

Parents

0 Raphael Alganes over 1 year ago

Hi Kevin,

Good day and thanks for reaching out to Sophos community and hope you are well.

Few Queries:

-Kindly verify if you have followed all steps as per this kb: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesOneTimePassword.htm

-Also if possible can you show result of aua.log while encountering the issue? under Shell run tail -f /var/log aua.log

-And may we verify what authenticator app you are using?

Kindly let us know. Many thanks have a nice day ahead and thank you for choosing Sophos

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

0 phi IT-Services GmbH over 1 year ago in reply to Raphael Alganes

Hello Vivek Jagad, hello Raphael Alganes,

thank you for the message. I use the Google Auth app. Here is the excerpt from the aua.log:

2023:01:17-14:32:13 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
2023:01:17-14:32:13 remote aua[3302]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
2023:01:17-14:32:13 remote aua[3302]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"
2023:01:17-14:32:47 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
2023:01:17-14:32:47 remote aua[3375]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
2023:01:17-14:32:47 remote aua[3375]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"

Kind regards

Kevin

Reply

0 phi IT-Services GmbH over 1 year ago in reply to Raphael Alganes

Hello Vivek Jagad, hello Raphael Alganes,

thank you for the message. I use the Google Auth app. Here is the excerpt from the aua.log:

2023:01:17-14:32:13 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
2023:01:17-14:32:13 remote aua[3302]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
2023:01:17-14:32:13 remote aua[3302]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"
2023:01:17-14:32:47 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
2023:01:17-14:32:47 remote aua[3375]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
2023:01:17-14:32:47 remote aua[3375]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"

Kind regards

Kevin

Children

+1 Raphael Alganes over 1 year ago in reply to phi IT-Services GmbH

Hello,

Good day and Thanks for sharing these details.

please check SHA settings on under OTP if it is 265 or 512 and if Google Authenticator support such hash algorithm or falling back to SHA1, then try to change in UTM by changing SHA settings to match authenticator hash algorithm.

alike community thread reference that you can also refer to:

- Sophos SG UTM: OTP QR Code doesn't work

- RE: Users cannot login with OTP

Hope this helps. Kindly let us know how it goes. Thanks for your time and patience and thank you for choosing Sophos.

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +3 Vote Down

Cancel
0 phi IT-Services GmbH over 1 year ago in reply to Raphael Alganes

Hello Raphael Alganes,

thank you for the message. I switched the hash SHA1 and now it works. :) many thanks for the help.

Best regards

Kevin
Cancel
Vote Up +1 Vote Down

Cancel