We use Sophos UTM 9.7 as our Gateway. It is connected to our Active Directory via LDAP.
When a user logs into our VPN portal, the user is created automatically in our gateway with their AD credentials.
In the Authentication Services --> Global Settings, "End User Portal" is activated.
We have One-Time Password activated and we Drag and Drop any new User into the "Authentication Settings"
"Auto-create OTP tokens for users" is activated.
Afterwards any user, which is dragged in, gets a QR code to scan with an Authentication App. Then They login by adding the 6-digit code to their usual Password.
Now to the Problem:
We have 2-3 Users, created completely equal to all the others, for which the 6 digit code doesn't work. After Scanning the QR code, the Authentication App shows a 6 digit code, but any conceivable way of entering it, results in "invalid username/password (or access denied by policy)".
We deleted the users from the Gateway, let them login to our End User Portal again and do redo the whole procedure. Sadly, this resulted in the same Error. Wrong Password/Username is already ruled out, since we tested it on site as well.
Is there any way to get a more detailed explanation on why the login didn't work?
Hi Daniel
I've seen this once before.
The problem (in this instance) was with the device (mobile phone) that had the authentication app installed. The mobile phone was not set to get the date and time from the network provider. So if the date and time was slightly out on the mobile phone, then the 6 digit rolling code would be wrong.
So changing the mobile phone to automatically update the date and time with the network provider fixed the issue.
I hope this helps.
So we managed to get it working for one of the users. They didn't understand how the 2FA code should be added... Well whatever.
We have another user for which the problem is a bit different.
The login into our User Portal works as long he is not added to the One-Time Password. Once I do add them, they are no longer able to login to the User Portal. Just invalid username/password (or access denied by policy). For whatever reason, this only happens to this specific user. VPN Groups are the same across the board.
Logs:
User authentication daemon --- 2022:04:01-11:39:35 gateway aua[16103]: id="****" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="****" host="" user="****" caller="portal" reason="DENIED"
openvpn.log --- 2022:04:01-11:41:11 gateway openvpn[5797]: **** TLS: Username/Password authentication deferred for username '****' [CN SET]
Any other logs i can look into?
Can I just check that you have the "User Portal" option ticked in:
Authentication Services --> One-Time Password --> Authentication Settings/Enable OTP for facilities: section in the middle of the page.
Thanks
Yes this option is ticked. As I stated before, it is only this one specific User which doesn't work with 2FA. However in our Active Directory, this user doesn't seem to have very special groups or other settings which set him apart.
What happens if you change his password and try to login as him - do you get in?
Cheers - Bob
Tried that today. When I changed the Password to a short one with our minimum PW requirements it worked.
When the user on the other hand, changed it again to a new one, the same problem occurred.
He was able to login to the User Portal, but wasn't able to login after I dragged him to the 2FA box.
What's noticeable is that the Password the user is using is around 20 digits long. Way longer than the one I used in the test.
We even tested leaving out any Special characters but this did not help...
Cheers to you to - Daniel
If OTP works for you, Daniel, but not for the user, it must be user error or the issue S1P pointed out.
SO! After extensive trial and error research, (Yes I've tried dozens of different Passwords with a test account) I've come to a surprising conclusion:
The Invalid policy Error after adding the user to the 2FA settings Box, pops up if the user password contains 6 Numbers in sequence. It doesn't matter if they are repeated numbers or different ones. The only way to circumvent this issue is to break up the numbers with a letter or a special character. Or just use 5 letters in sequence...
It would be great if someone else could test this, because I am baffled that THIS was the problem. I couldn't find any documentation on this.
That's quite a discovery, Daniel. Please open a case with Sophos Support so that they can communicate this to the developers.