This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 - MFA Loop

Hello Sophos Community,

I have a problem with the Sophos UTM 9 firewall and the setup with MFA.

Key data:

- Sophis UTM 9 (SG230) - version: 9.713-19

- The OTP setting under Authentication Services is enabled

- Only one user was added for the test

- The setting Auto-create OTP tokens for users is set

- OTP is enabled for User Portal and SSL VPN

When the user logs into the portal (username+password), the prompt to scan the QR code appears in the next window. After scanning and clicking on the Continue with login button, I land again on the user portal and am asked to enter my login data again. I enter username+password again and attach the MFA code behind the password.

After logging in, I am asked to scan the QR code again. And now I'm in a loop. The problem also occurs when I log in with just a username+password or just append random numbers to the password.

In the WebAdmin portal, however, I can see under OTP token that the key for the user has been created automatically. I've already restarted the firewall and installed the latest firmware but unfortunately no improvement. Do you have another idea?

Kind regards

Kevin



This thread was automatically locked due to age.
Parents
  • Hi Kevin,

    Good day and thanks for reaching out to Sophos community and hope you are well.

    Few Queries:

    -Kindly verify if you have followed all steps as per this kb: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/AuthServicesOneTimePassword.htm

    -Also if possible can you show result of aua.log while encountering the issue? under Shell run tail -f /var/log aua.log

    -And may we verify what authenticator app you are using?

    Kindly let us know. Many thanks have a nice day ahead and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Vivek Jagad, hello Raphael Alganes,

    thank you for the message. I use the Google Auth app. Here is the excerpt from the aua.log:

    2023:01:17-14:32:13 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
    2023:01:17-14:32:13 remote aua[3302]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
    2023:01:17-14:32:13 remote aua[3302]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"
    2023:01:17-14:32:47 remote aua[3775]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
    2023:01:17-14:32:47 remote aua[3375]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
    2023:01:17-14:32:47 remote aua[3375]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.0.10" host="" user="testuser" caller="portal" reason="DENIED"

    Kind regards

    Kevin

  • Hello,

    Good day and Thanks for sharing these details.

    please check SHA settings on under OTP if it is 265 or 512 and if Google Authenticator support such hash algorithm or falling back to SHA1, then try to change in UTM by changing SHA settings to match authenticator hash algorithm. 

    alike community thread reference that you can also refer to:

    -  Sophos SG UTM: OTP QR Code doesn't work 

    RE: Users cannot login with OTP 

    Hope this helps. Kindly let us know how it goes. Thanks for your time and patience and thank you for choosing Sophos.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply Children