Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Referring to this thread discussion. MFA on web authentication
When this setting is used, MFA is not prompted for client VPN users. VPN users can login with username and password only. No MFA required.
When "No OTP" is changed to "Specific Groups" MFA is asked for both captive portal and VPN users.
How to enable MFA for VPN users alone, not for captive portal users.
Hi ce_Sophos With the option"Generate OTP token with next sign-in" enabled, it will auto-enable the MFA check box in the user portal, so the end user may sign in to the VPN or user portal and scan the QR code using the authenticator app and this process will auto Generate OTP token for that respective user.
As per the current working design, once MFA is enabled for the User Portal, it will auto-enable MFA for the Captive portal and CAA (client authentication agent) authentication-based methods. (This is a kind of hard-coded setting).
So if you opt to turn off the automatic creation of OTP tokens which will allow you to uncheck "User Portal" from MFA settings, you must be required to configure OTP tokens manually for all users under "Issued tokens" for which you want MFA over VPN.
Another possibility I can think of is to leave the previous settings as it is until all users login 1st time to the user portal or VPN portal to scan the QR code to generate the OTP token automatically and once this is done by all users you may disable the MFA for the user portal..!
However, if you want an option where enabling MFA on the user portal should not enable MFA for the Captive portal and CAA then that will be a kind of feature request as mentioned in a previous comment by my colleague Vivek Jagad !
Regards,
Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Hi ce_Sophos With the option"Generate OTP token with next sign-in" enabled, it will auto-enable the MFA check box in the user portal, so the end user may sign in to the VPN or user portal and scan the QR code using the authenticator app and this process will auto Generate OTP token for that respective user.
As per the current working design, once MFA is enabled for the User Portal, it will auto-enable MFA for the Captive portal and CAA (client authentication agent) authentication-based methods. (This is a kind of hard-coded setting).
So if you opt to turn off the automatic creation of OTP tokens which will allow you to uncheck "User Portal" from MFA settings, you must be required to configure OTP tokens manually for all users under "Issued tokens" for which you want MFA over VPN.
Another possibility I can think of is to leave the previous settings as it is until all users login 1st time to the user portal or VPN portal to scan the QR code to generate the OTP token automatically and once this is done by all users you may disable the MFA for the user portal..!
However, if you want an option where enabling MFA on the user portal should not enable MFA for the Captive portal and CAA then that will be a kind of feature request as mentioned in a previous comment by my colleague Vivek Jagad !
Regards,
Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
there's no option to uncheck user portal. It'll be greyed out.
Hi ce_Sophos As I guided in the previous comment once you disable/turn off the "Generate OTP token with next sign-in" option, you will be allowed to uncheck the User portal.
Reference snapshot: 
Regards,
Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
