We use Sophos UTM 9.7 as our Gateway. It is connected to our Active Directory via LDAP.
When a user logs into our VPN portal, the user is created automatically in our gateway with their AD credentials.
In the Authentication Services --> Global Settings, "End User Portal" is activated.
We have One-Time Password activated and we Drag and Drop any new User into the "Authentication Settings"
"Auto-create OTP tokens for users" is activated.
Afterwards any user, which is dragged in, gets a QR code to scan with an Authentication App. Then They login by adding the 6-digit code to their usual Password.
Now to the Problem:
We have 2-3 Users, created completely equal to all the others, for which the 6 digit code doesn't work. After Scanning the QR code, the Authentication App shows a 6 digit code, but any conceivable way of entering it, results in "invalid username/password (or access denied by policy)".
We deleted the users from the Gateway, let them login to our End User Portal again and do redo the whole procedure. Sadly, this resulted in the same Error. Wrong Password/Username is already ruled out, since we tested it on site as well.
Is there any way to get a more detailed explanation on why the login didn't work?
So we managed to get it working for one of the users. They didn't understand how the 2FA code should be added... Well whatever.
We have another user for which the problem is a bit different.
The login into our User Portal works as long he is not added to the One-Time Password. Once I do add them, they are no longer able to login to the User Portal. Just invalid username/password (or access denied by policy). For whatever reason, this only happens to this specific user. VPN Groups are the same across the board.
User authentication daemon --- 2022:04:01-11:39:35 gateway aua: id="****" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="****" host="" user="****" caller="portal" reason="DENIED"
openvpn.log --- 2022:04:01-11:41:11 gateway openvpn: **** TLS: Username/Password authentication deferred for username '****' [CN SET]
Any other logs i can look into?
Can I just check that you have the "User Portal" option ticked in:
Authentication Services --> One-Time Password --> Authentication Settings/Enable OTP for facilities: section in the middle of the page.
Yes this option is ticked. As I stated before, it is only this one specific User which doesn't work with 2FA. However in our Active Directory, this user doesn't seem to have very special groups or other settings which set him apart.
What happens if you change his password and try to login as him - do you get in?
Cheers - Bob
Tried that today. When I changed the Password to a short one with our minimum PW requirements it worked.
When the user on the other hand, changed it again to a new one, the same problem occurred.
He was able to login to the User Portal, but wasn't able to login after I dragged him to the 2FA box.
What's noticeable is that the Password the user is using is around 20 digits long. Way longer than the one I used in the test.
We even tested leaving out any Special characters but this did not help...
Cheers to you to - Daniel
If OTP works for you, Daniel, but not for the user, it must be user error or the issue S1P pointed out.