This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2FA for Remote Access via SSL Client

Is there a way to implement 2FA (e.g. with Authenticator App) for the SSL VPN Client?

We currently use the Sophos SSL VPN Client for our remote access. The access control for groups & users and their authentication is done via ActiveDirectory.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Please refer to the below article to configure 2FA for SSL VPN.

    support.sophos.com/.../KB-000034983

  • Hi, thank you for the link to the article.

    I already made some tests with selected accounts. However the OTP feature seems not to be working in a conistend way. Some tests worked as advertised and some did not.

    Test 1:

    In my very first test I just assigned my own account  to the OTP feature. I used the MS Authenticator app and everything went well.
    First I logged in on the UserPortal and added the account to the authenticatr via QR code scanning. Then tested the VPN client and again the UserPortal and both worked finy by combining the password with the current 6-digit code from autheticator.

    Test 2:

    Then I made a second moderated test with a small group of users which went not so well:

    - One user had no problems, even he used a different Authenticator app.

    - The other user could not even log on to the UserPortal as soon I assigned him to the OTP feature - his usual password did not work. There was no token created in the list although automatic token creation was enabled.

    - I also joined the test team. My account could login to UserPortal, get to the QR code and add the account on my MS Authenticator but then could not log on in UserPortal or VPN Client with the password+6digit code. The UserPortal worked but only with my usual password. Everytime I accessed the UserPortal I saw the page with the QR code.

    Test 3:

    A third test with another user was not seccessful either. He got a QR code and the Authenticator entry but could not use the password+6digit for his account. I monitored his login trials on the UTM router and saw the following log entries:

    2021:04:15-16:04:06 gateway aua[3712]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
    2021:04:15-16:04:06 gateway aua[10002]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.xxx.xxx (adirectory)"
    2021:04:15-16:04:06 gateway aua[10002]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
    2021:04:15-16:04:06 gateway aua[10002]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="xxx.xxx.xxx.xxx" host="" user="xxxxxxxx" caller="openvpn" reason="DENIED"

    Summing up all issues during all tests gives the following common result:
    Most users can logon to the User Portal and get the account added to their Authenticator with the QR code. But then they can't use the combined password - whether in UserPortal access nor in VPN Client. They can still logon to the user portal by typing their original password and they get this QR code page again and again.

    What I can't get is why one of the users could not login although there was no token and he did not get a QR code. Even manually creating the token didn't help.



    Actually I was positively surprised that it went so well during the first try but then heavily disappointed that the group tests didn't work out well.

    Where could I start to continue debugging? Could it be an Authenticator issue? Could it be a bug in combination with ActiveDirectory authentication?

  • Hello @all,

    i have also start some test with OTP, first only the user protal.

    I find out afer several logins to user portal the login not woking any more for my test user.

    After delete the OTP User on OTP-Token list, the login works again.

    Is there are timer to delete the user in that list automaticliy?

  • Any news about that? How can we fix the Problem?

  • I managed to solve the problems by reverting the "Timestep settings" to the original values (10/3/10). I've added already several users to the test group and they use various authenticators: MS Authenticator, 1password, Sophos Authenticator.

    I think during my first tests the MS Authenticator was not compatible with the changed timestep values. I do not remember exactly but I might have changed them to 60/5/30 or simillar.

  • You can use Azure and the MS authenticator pretty easily. Works straight out of the box with Radiius.