Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 15329 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Users cannot login with OTP

Peter Vroegop

Hi,

 

We using UTM software version 9.508-10

Our remote users must use OTP to create a SSL VPN connection through the Sophos SSL VPN Client.

This morning a user is succesfully loged in a number of times.

I had to create a new remote user.
After this is done the new user can succesfully login to the Userportal.
After this I set this user to use OTP
When The user logs in to the userportal the QR code of the OTP token appears.
After scanning the code in the sophos authenticator app we continues the login.
Now as I login to the userportal I got the error wrong password username,or access denied by policy.
When I login through the VPN client I ge non authentication.

When I disable OTP for this user I can succesfully login to the userportal ans the VPN Client with only the users password.

When I test this to other users I have the same problem :(
Even the user whice earlier this morning could succesfully login cann't authenticated by using OTP.

Somebody a clue?



This thread was automatically locked due to age.
Parents
  • 0

    UTM does not prompt separately for the OTP code.   The user is supposed to add it to the end of his password.

    For new users, User Portal allows one-time login (without OTP) to view the QR code.  Once established, the portal requires password and pin concatenated.

    When a user gets a new phone, the preferred behavior is to use the OTP code from the old phone to log into User Portal and display the QR code for the new phone.   But of course, this never happens.  Instead, the one-time login can be re-enabled using WebAdmin... Authentication Services... OTP.   Find the user in the list, and click the reset icon, which is an arrow running around in a circle.   If the user is in your presence, you can click the info button ("i") on the right margin to display his OTP code from within WebAdmin.

    For WAF, I customized the login page to do a three-field login, which makes like easier for our users.  UTM does not permit customizing the User Portal login

  • 0 in reply to DouglasFoster

    Thanks for the answer Douglas,

    However we got a wrong diagnostic.

    Futher investigation learns us the problem is with one users phone.

    We use the sophos autheniticator and the sophos soft token.

    This new user logged in at the userportal and scanned the QR code of his token.

    After that He was unable to login with OTP from his phone.

    Without OTP he was able to login with only his password.

    We scanned his softtoken on another phone with the sophos authenticator installed and could succesfully logon with OTP

    We give the user a new token without any success.

    We scanned a token of an user whice logn for a long time.

    On the phone of the new user we are unable to logon.

    It look likes the sophos authenticator or the phone of the new user is not working fine.

    This phone is a Huawei Y7.

    Somebody a clue?

  • +1 in reply to Peter Vroegop

    Tokens depend on correct time of day, to keep the server and phone synchronized.   

    • Does the phone show the correct time?  Phones are normally set to synchronize time with the cellular network, but I think this can be overridden in settings.   I have not tried this, but I would expect that if you put multiple phones  side-by-side, the code rollover should change simultaneously on all of them (if they all have the correct time).

    • Does the server have the correct time of day, and is the time server successfully synchronizing with an external clock source?

    There are also parameter in OTP setup to allow for clock skew, particular "Maximum passcode offset".

     

     

Reply
  • +1 in reply to Peter Vroegop

    Tokens depend on correct time of day, to keep the server and phone synchronized.   

    • Does the phone show the correct time?  Phones are normally set to synchronize time with the cellular network, but I think this can be overridden in settings.   I have not tried this, but I would expect that if you put multiple phones  side-by-side, the code rollover should change simultaneously on all of them (if they all have the correct time).

    • Does the server have the correct time of day, and is the time server successfully synchronizing with an external clock source?

    There are also parameter in OTP setup to allow for clock skew, particular "Maximum passcode offset".

     

     

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML