Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 7553 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why doesn't the XG SSL-VPN client recognise a 3rd Party 2FA Authentication Confirmation?

Andy Hanson

When you ask the user to authenticate with an additional RADIUS server, directed at a 3rd party solution (for example SecurEnvoy, Swivel, Vasco), and the user strongly authenticates (ie username and password+passcode) which is acknowledged by the 3rd party solution as correct - the Sophos SSL-VPN client returns to the login screen with requests for Username and Password.

 

This looks like it is a timeout issue or suchlike that other firewalls can handle, or at least be configured to mitigate, why can't the Sophos XG?



Edited TAGs
[edited by: emmosophos at 5:39 PM (GMT -7) on 2 Jun 2021]
Parents
  • 0

    Hi  

    This question was raised as part of this previous community thread and related to ID NC-8393 regarding making the RADIUS timeout configurable.

    As was mentioned in David's support case

    David Ballagh said:

    I have a further update and a correction from support:

    The fix for NC-8393 will be available in version 17.2 which is due to be released between September or October of this year (2018). Version 17.1 is coming out in the summer but won't have this feature. 

    As for the workaround provided, Google Authenticator is apparently one way to go but saying that the firewall could also be used was a typo. Instead the support engineer meant that One-Time Password could be used in place of multi-factor authentication. OTP can be used for WebAdmin, User Portal, SSL and IPSEC remote access.

    Along with your current support case, I would also advise raising this ETA inquiry with your Sophos Account Manager. 

    Regards,

  • 0 in reply to FloSupport

    This response came back from Sophos engineering. Way to go to understand how big an issue this actually is.

     

    I believe the customer is referring to configurable RADIUS authentication timeout. This allows 2FA applications such as DUO to work where manual interaction is required from the end user. I can confirm this is not supported in the XG at this time but is planned for a future release, this will not be the next release though.

     

    The reason why timelines cannot be provided is because feature releases can be changed or a feature removed entirely from the roadmap. The last I heard this was scheduled for v18 so there is no use the customer holding their breath because the full release this isn’t scheduled until Q4 2019.

     

    This is an option that is configurable on the SG if they want to move to this platform if this is a requirement. Alternatively they can use a different form of 2FA that is supported for example the mobile app Sophos Authenticator.

     

    ........................

Reply
  • 0 in reply to FloSupport

    This response came back from Sophos engineering. Way to go to understand how big an issue this actually is.

     

    I believe the customer is referring to configurable RADIUS authentication timeout. This allows 2FA applications such as DUO to work where manual interaction is required from the end user. I can confirm this is not supported in the XG at this time but is planned for a future release, this will not be the next release though.

     

    The reason why timelines cannot be provided is because feature releases can be changed or a feature removed entirely from the roadmap. The last I heard this was scheduled for v18 so there is no use the customer holding their breath because the full release this isn’t scheduled until Q4 2019.

     

    This is an option that is configurable on the SG if they want to move to this platform if this is a requirement. Alternatively they can use a different form of 2FA that is supported for example the mobile app Sophos Authenticator.

     

    ........................

Children