In our introductory article, Two Factor Authentication with Sophos UTM - Concepts and Considerations, we discussed some of the options for choosing a Two Factor Authentication solution for your environment.
We came to the conclusion that the use of One-time Password (OTP) by way of a soft token, is a very flexible solution that adds great security with very few penalties. It is in fact the same method used by Google for the Google authenticator.
This article shows you how to start using two factor authentication and OTP to lock down the administration of your Sophos UTM - without locking yourself out!
You will need to specify a hexadecimal octet string that is 40 characters long. If you are good at coming up with string like "aaa85e0ca44f0c168106c3c5d74dde5b60419fa8" you can generate it on your own. For the rest of us, one of the following methods should be used.
If you're using an Apple Mac or Linux distro containing OpenSSL, you can use it to generate a random value for you with the following command:
openssl rand -hex 20
Otherwise, you can make use of Browserling's Random HEX Generator to generate your 40 digit HEX code.
On your smart device, install either of the following apps:
They use the same open standard which means the apps are identical in function.
Like many features on Sophos UTM, One-time Password is available but disabled by default.
To make sure that you do not lock yourself out of the UTM, do the following with a secondary admin account before enabling it on your primary account.
Next, you need to enrol for the token on your device so it can generate OTPs for you.
At this point you have generated a token for yourself (well, for your secondary admin user account), but you have not specified where it should be used.
In the Authentication Settings section:
Make sure you have an admin account that does not already require OTP before you go ahead.
As an example:
You should now be logged on with your stronger Two Factor Authentication method. If you try to log in without your OTP appended, Sophos UTM will simply give you an incorrect password error. It does not say anything about a token being required, which is good, since verbose error messages give away information that could be used in cracking attempts. If you think about it, incorrect password is accurate as when Two Factor Authentication is enabled, the password is dynamic, changing all the time.
Now you have confirmed everything is working, you can go ahead and repeat the process for your primary admin user account.
Your Sophos UTM's administration is now more secure because it requires not just one but two factors of authentication. Even if you never roll out Two Factor Authentication for any of your users, you really should do this for your UTM administrators.
This guide stepped through the process of manually enrolling a user for OTP. I prefer this for the administrator account because it gives me the freedom to source my entropy from anywhere. You could in theory even set your administrator on multiple UTM’s to use the same secret, meaning that they will accept the same token.
In the next article, I will show you how to setup OTP for your users using the simpler user self-enrolment process.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Two Factor Authentication with Sophos UTM - For Users
Two Factor Authentication with Sophos UTM - Concepts and Considerations