We use Sophos UTM 9.7 as our Gateway. It is connected to our Active Directory via LDAP.
When a user logs into our VPN portal, the user is created automatically in our gateway with their AD credentials.
In the Authentication Services --> Global Settings, "End User Portal" is activated.
We have One-Time Password activated and we Drag and Drop any new User into the "Authentication Settings"
"Auto-create OTP tokens for users" is activated.
Afterwards any user, which is dragged in, gets a QR code to scan with an Authentication App. Then They login by adding the 6-digit code to their usual Password.
Now to the Problem:
We have 2-3 Users, created completely equal to all the others, for which the 6 digit code doesn't work. After Scanning the QR code, the Authentication App shows a 6 digit code, but any conceivable way of entering it, results in "invalid username/password (or access denied by policy)".
We deleted the users from the Gateway, let them login to our End User Portal again and do redo the whole procedure. Sadly, this resulted in the same Error. Wrong Password/Username is already ruled out, since we tested it on site as well.
Is there any way to get a more detailed explanation on why the login didn't work?
So we managed to get it working for one of the users. They didn't understand how the 2FA code should be added... Well whatever.
We have another user for which the problem is a bit different.
The login into our User Portal works as long he is not added to the One-Time Password. Once I do add them, they are no longer able to login to the User Portal. Just invalid username/password (or access denied by policy). For whatever reason, this only happens to this specific user. VPN Groups are the same across the board.
User authentication daemon --- 2022:04:01-11:39:35 gateway aua: id="****" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="****" host="" user="****" caller="portal" reason="DENIED"
openvpn.log --- 2022:04:01-11:41:11 gateway openvpn: **** TLS: Username/Password authentication deferred for username '****' [CN SET]
Any other logs i can look into?
SO! After extensive trial and error research, (Yes I've tried dozens of different Passwords with a test account) I've come to a surprising conclusion:
The Invalid policy Error after adding the user to the 2FA settings Box, pops up if the user password contains 6 Numbers in sequence. It doesn't matter if they are repeated numbers or different ones. The only way to circumvent this issue is to break up the numbers with a letter or a special character. Or just use 5 letters in sequence...
It would be great if someone else could test this, because I am baffled that THIS was the problem. I couldn't find any documentation on this.
That's quite a discovery, Daniel. Please open a case with Sophos Support so that they can communicate this to the developers.
Cheers - Bob