0% found this document useful (0 votes)

14 views

FW3550 19.0v1 Troubleshooting Multifactor Authentication On Sophos Firewall

Uploaded by

davidiazs

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

14 views

FW3550 19.0v1 Troubleshooting Multifactor Authentication On Sophos Firewall

Uploaded by

davidiazs

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 11

Troubleshooting Multifactor

Authentication on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3550: Troubleshooting Multifactor Authentication on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Troubleshooting Multifactor Authentication on Sophos Firewall - 1

Troubleshooting Multifactor Authentication on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to resolve problems when a user ✓ Configuring Multifactor Authentication on Sophos
is unable to login using a token Firewall
for multi-factor authentication.

DURATION

3 minutes

In this chapter you will learn how to resolve problems when a user is unable to login using a token
for multi-factor authentication.

Troubleshooting Multifactor Authentication on Sophos Firewall - 2

User Cannot Authenticate 1

Sophos Firewall supports multi-factor authentication using one-time passwords.

There are different types of one-time password. You can use either software tokens, such as the
Sophos Authenticator App or Sophos Intercept X App that are available for Android and iOS, or
hardware tokens, if they conform to RFC 6238.

Authentication problems with one-time passwords are almost always caused by a time difference
between the Sophos Firewall and the device with the token, usually a mobile phone.

Troubleshooting Multifactor Authentication on Sophos Firewall - 3

User Cannot Authenticate 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# tail –f /log/access_server.log

MESSAGE Aug 06 10:36:24 [OTP_AUTH]: (otp_code_correct): Will verify code 603105 for
user [email protected]
ERROR Aug 06 10:36:24 [OTP_AUTH]: (otp_code_correct): oath_totp_validate() failed
for tokenid befd6f441e4645d6a4afacefb85eaea9 with error The OTP is not valid
MESSAGE Aug 06 10:36:24 [OTP_AUTH]: (otp_handle_short_password_success_request):
REJECT1 for user [email protected] (bad OTP code or user's token is not active)
ERROR Aug 06 10:36:24 [access_server]: check_auth_result: VPN/SSLVPN/MYACC
Authentication Failed

In /log/access_server.log you will see that the OTP token is rejected because it is a bad code, or the
token is not active.

Troubleshooting Multifactor Authentication on Sophos Firewall - 4

User Cannot Authenticate 2

First check that the token is enabled, and if it is not, enable it.

Troubleshooting Multifactor Authentication on Sophos Firewall - 5

User Cannot Authenticate 2

If the token is enabled and you are seeing this error, compare the time on Sophos Firewall with the
device the token is being generated on for the user.

If they are not in sync, correct the time.

Troubleshooting Multifactor Authentication on Sophos Firewall - 6

User Cannot Authenticate 2
1

2 3

It may not always be possible to correct the time on the token. In this case the firewall can
compensate for the time difference.

1. Click on the OTP time-offset synchronization icon for the token.

2. Enter the current token code and click Check.
3. Sophos Firewall will show how far out of sync it is. Click Apply to set the offset for the token.

Troubleshooting Multifactor Authentication on Sophos Firewall - 7

User Cannot Authenticate 3

The user will then be able to login using their token.

Troubleshooting Multifactor Authentication on Sophos Firewall - 8

Additional OTP Codes

As a temporary workaround you can also add additional one-time codes to the token. These can be
given to the user so that they can login even if their token is not working or they have lost it.

These codes should be communicated to the users in a secure manner. It is important to note that
the codes do not expire until they are used or unless an administrator manually removes them.

Troubleshooting Multifactor Authentication on Sophos Firewall - 9

Chapter Review

Authentication problems with one-time passwords are almost always caused by a time
difference between the Sophos Firewall and the device with the token, usually a mobile
phone

OTP time-offset synchronization prompts for entry of the current token code and
Sophos Firewall will show how far out of sync it is

As a temporary workaround you can also add additional one-time codes to the token

Here are the three main things you learned in this chapter.

Authentication problems with one-time passwords are almost always caused by a time difference
between the Sophos Firewall and the device with the token, usually a mobile phone.

OTP time-offset synchronization prompts for entry of the current token code and Sophos Firewall
will show how far out of sync it is.

As a temporary workaround you can also add additional one-time codes to the token.