OTP, User Portal, and the CAA

Gary,

once you enable OTP on user portal, CAA will stop working. They use the same component. I know that because there is a old thread where we discussed about.

So for me, OTP is useless.

https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/v16beta/f/sfos-v16-beta-issues-bugs/78147/client-authentication-reports-bad-credential-if-otp-is-enabled/307608#307608

Regards

Wonderful.

I found that CAA still works if you add the OTP to the PW, but that kind of kills the whole seamless login aspect of CAA making it kind of a PITA to use.

I saw a feature request someone made to allow for OTP to be allied to interfaces independently...  so you could have it on for WAN and off for LAN.  I'll go find that and update the post... might be good to get that idea some more votes.

Also, might submit an idea to have the CAA separated from the User Portal for OTP purposes. They don't need to split the code, just put an if/else statement to look at the source service (web vs client)

-Gary

I was wrong, that idea for OTP only on WAN was for SG UTM rather than XG, but I'm guessing it is worth voting for on one to get it in the other:

https://ideas.sophos.com/forums/17359-sg-utm/suggestions/15117372-user-portal-otp-only-from-wan

Here are ideas to vote on if you want to put supporting behind either of these ideas for XG

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/33679678-apply-otp-to-zones-independently

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/33679621-split-caa-from-user-portal-for-otp