Sophos Connect Client with OTP

Hi Dirk,

It does work with OTP, first you would need to enable for IPsec Remote access which is enabled by default. Then simply use Sophos Authenticator and sync with QR code in the user portal. 

The configuration file is the same for all users which is downloaded from admin web console along with the setup. Enter the username and password (password + otp).

Refer KBA-> community.sophos.com/.../125228

This should not be suggested answer as it does not address what's being experienced. The OTP is setup fine and we use it extensively for the "legacy" SSLVPN client without issues and OTP authenticates fine with user portal. 

When using Sophos Connect with customized config file to prompt for MFA the code does not work. Once we load a config that does not prompt for OTP it works perfectly fine.

Either there is a bug with Sophos Connect not accepting OTP or Dir and I are missing something.

Please Help! :)

Brad is absolutely correct, my tests with the same user on a XG also shows:

• SSL VPN with OTP working fine (OTP code entered directly after the password)
• Sophos IPSec Client without OTP working fine
• Sophos IPSec Client with OTP not working (config file adjusted be means of Sophos connect admin: acivated prompt for 2FA

@Aditya: Thanks for your reply! I am familiar with activating OTP since I am using it for SSL VPN with my customers. I re-ckecked and also follwed the guidelines from here: https://docs.sophos.com/nsg/sophos-connect/help/en-us/nsg/scon/concepts/AboutSophosConnect.html

But I still do end up with an authentication error ([IKE] <IPSEC_VPN | 10> Xauth authentication of 'user' (myself) failed.

Any idea or suggestion?

Dirk

Hello Dirk,

Was checking this thread and I wanted to know if the problem with OTP and Sophos Connect got resolved? Please let me know.

Ramesh

Hi Ramesh.

I'm on a buisness trip these days, but I will revert when I have re-checked the issue after the new SF-OS release 17.5.3. I guess I saw some remarks about a new version of Sophos Connect cCient with this release.

Cheers Dirk

Hello Dirk,

The current release of Sophos Connect is 1.2. This release is available for download with any version of v17.5.x. So please download the latest version of Sophos Connect and provide feedback if it worked for you.

Ramesh

Sadly, problem still exists. We love the way this looks and deploys but cannot deploy out into wild with today's security landscape if OTP does not work. It's disappointing this still is not addressed.

Anyone out there able to confirm yet if Sophos Connect VPN is compatible with OTP?   In the process of rolling out new VPN on 17.5.  Thanks

Anyone out there able to confirm yet if Sophos Connect VPN is compatible with OTP?   In the process of rolling out new VPN on 17.5.  Thanks

Hello All,

Yes it is confirmed that Sophos Connect VPN is compatible with OTP. If you are using OTP with tgb file then you enter passwordOTP with NO comma or space between with password and OTP. The two are entered as a single string.

If you are using Sophos Connect Admin to configure the policy, then you will get separate prompt for OTP.

Please let us know after you give that a try.

Ramesh

I challenge that response. While it maybe listed as supporting OTP, it clearly is not funcitoning correctly. Whether I try via TGB or with OTP prompt it fails. It works great without it and of course on the classic SSLVPN. 

Hello Brad,

I think there is some configuration or user error because I have rechecked user authentication by connecting Sophos Connect with multiple XG gateways and it works. 

Ramesh

Setup of Sophos Connect + OTP on XG330_WP02_SFOS 17.5.3 MR-3 worked out great.  AD user on win7 laptop running the Sophos Connect VPN client + Sophos Authenticator app on an ios device.  No problems here so far.