SSLVPN 2FA with Two XG's

Question

Hello, 
 I have a client with a XG310 with SSLVPN authenticating against Active Directory with 2FA in their head office. 
 We are now implementing a XG115 in a branch office. Both of these offices are on the same Active Directory network connected by an MPLS network. 
 
 Whist the Head Office XG310 will remain the main entry point for SSLVPN communications, I'd like to set-up the branch office XG115 to handle redundant SSLVPN connections should they needed it authenticating against the same Active Directory with 2FA. 
 Whilst I'm able to rename the branch office SSLVPN .ovpn file to a different name to give me 2 connection options on the Sophos SSL VPN Client eg: 
 u ser.one@domainname.com_HeadOffice.ovpn 
 user.one@domainname.com_BranchOffice.ovpn 
 How do I go about creating the second MFA token, as these are stored on the phone as the same username user.one@domainname.com . How will the user know which 2FA to use for each and how will Google Authenticator / Microsoft authenticator be able to store the same username twice with two separate tokens? 
 
 Thx 
 Drobo

dirkkotte · Answer

you may copy the secret from XG1 to XG2 ,so the user has the same token all the time. 
 (Possibe a "sync" using the API is an option too)

FormerMember · Answer

Hi Drobo , 
 Thank you for reaching out to Sophos Community. 
 Sophos/Google Authenticator application stores the user OTP token with a name same as the Account name. 
 i.e username@hostname 
 As mentioned you're using the same active directory for user authentication through XG310 and XG115. 
 Sophos/Google authentication application both allows you to change the account name. You can modify the account name on the authentication application same as SSL VPN config file to identify which token to use for branch and head office.

SSLVPN 2FA with Two XG's

Top Replies