Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Configure | 423

Purging Active Directory Users

This page allows you to purge AD Users.

1. Go to Configure > Authentication > Users and click Purge AD Users to synchronize the device’s Active

Directory users with an external Active Directory server.

Note: The purge operation will not interrupt user login/logout and accounting events. If HA is configured, user details are deleted from both, the primary device and the auxiliary device.

2. Click OK to confirm the message.

Change Status

1. Go to Configure > Authentication > Users.

2. Select a user whose status is to be changed and click Change Status to change the status of that user.

If the current status is Enabled, the status of the user will change to Disabled when you click this button and viceversa.

One-Time Password

On this page, you can configure the one-time password (OTP) service, and you can monitor or edit the tokens of the one-time-password users.

One-time passwords are a method to improve security for password-based authentication. The user-specific password, which is sometimes too weak, will be amended with a one-time password that is valid for only one login. Thus, even if an attacker gets hold of it, he will not be able to log in with it.

One-time passwords generally change consistently, in regular intervals, being calculated automatically by a specific algorithm. Soon after a new password is calculated, the old password expires automatically. To calculate one-time passwords, the user needs to have either a mobile device with an appropriate software, or a special hardware or security token. Hardware tokens are ready to use from the start. On the mobile device, the end user needs to install

Sophos Authenticator or a similar software and deploy the configuration, which is available in the User Portal as a QR code, on the start page or on the OTP Token page (see User Portal page). Having done that, the device calculates onetime passwords in token-specific intervals. It is important that date and time are correct on the mobile device as the time stamp is used for one-time password generation.

Note: To authenticate on the facilities where the one-time password ist required, the user has to enter his user-specific device password, directly followed by the one-time password.

The administrator can also generate one-time passwords, also known as passcodes, manually. In this case, you have to ensure that these not time-limited one-time passwords are safely transmitted to the end user. This process, however, should only be considered as a temporary solution, for example when a user temporarily has no access to his or her password calculating device.

The page displays all existing one-time passwords. You can add , update or delete an OTP. For each OTP, the list shows:

Username

Displays the user name of the OTP owner.

Status

Displays the status of the OTP.

Secret

Displays the 32-hex secret of the OTP.

Related information

Create OTP Token Automatically for Two-Factor Authentication

Add OTP Token

This page enables you to add and edit one-time password tokens.

1. Go to Configure > Authentication > One-Time Password and click the Add button.

2. Specify the following details for adding an OTP token:

Secret

This is the shared secret of the user's hardware token or soft token. A hardware token has an unchangeable secret, given by the hardware producer. The soft token is created randomly by Sophos

XG Firewall, when Auto-create OTP tokens for users is enabled. The secret should have a hexadecimal format and consist of at least 32 characters.

User (optional)

Select the user to whom the token should be assigned.

Description (optional)

Add a description or other information. This text will be displayed for the administrator with the QR code. If you define different tokens for one person, e.g., a hardware token and a soft token for the mobile phone, it is useful to enter some explanation here as the user will be displayed all QR codes side by side.

Use custom token timestep

If you need another timestep for a token than the default token timestep defined in the OTP Settings section, enable this toggle switch and enter the value. The timestep defined here has to correspond with the timestep of the user's password generation device, otherwise authentication fails.

Timestep

Enter the value for the additional timestep.

Acceptable range: 10 - 300 seconds.

Additional Codes (Available only when editing OTP token)

You can add one-time passwords manually for a token. Click the Plus icon to generate the one-time passwords (10 at maximum). These one-time passwords are not time-limited. A one-time password will be deleted automatically when the user logged in with it.

| Configure | 424

Figure 400: Add OTP Token

3. Click Save.

The OTP token for the specific user has been created and appears in the one-time password list on the One-time

Password page.

Configure One-time Password

This page allows you to enable and configure the one-time password service.

1. Go to Configure > Authentication > One-Time Password and click the Settings button.

2. Activate the one-time password service by clicking on the ON/OFF slider.

3. Specify the OTP service status.

OTP for all users

If enabled, all users have to use one-time passwords. If only specific users should use one-time passwords, disable this option and select or add users or groups from the list.

Auto-Create OTP Tokens for users

If enabled, a QR code for configuring the mobile device software will be presented to the authorized users the next time they log in to the User Portal. For this to work, make sure that the users have access to the User Portal. When a user logs in to the User Portal, the respective token will appear in the OTP Tokens list. Enabling this feature is recommended when you are using soft tokens on mobile devices. If your users only use hardware tokens you should instead disable this option and add the tokens before enabling the OTP feature.

Enable OTP for facilities

Here, you select the Sophos XG Firewall facilities that should be accessed with one-time passwords by the selected users. When you select the Auto-create OTP tokens for users option, the User

Portal needs to be enabled for security reasons: As the User Portal gives access to the OTP tokens, it should have no weaker protection itself.

Note: When selecting WebAdmin you have to ensure that the selected users have access to the one-time password tokens. Otherwise you may log them out permanently.

4. Specify the timestep settings.

Default token timestep in seconds

To synchronize one-time password generation on the mobile device and on the Sophos XG Firewall, the timestep has to be identical on both sides. Some hardware tokens use 60 seconds. Other software

OTP tokens use a timestep of 30 seconds which is the default value here. If the timestep does not match, authentication fails.

Acceptable Range: 10 - 300 seconds

Default: 30 seconds

Maximum passcode offset steps

With help of this option you can set the maximum passcode offset steps. This means if you for example set 3 steps you restrict the clock of a token to drift no more than 3 timesteps between two logins.

Acceptable range: 0 - 10 steps

Default: 1 step

Maximum initial passcode offset steps

With help of this option you can set the maximum initial passcode offset steps. This means if you for example set 10 steps you restrict the clock of a token to drift no more than 10 timesteps between two logins. This option is only applied when the user employs the token for the very first time.

Acceptable range: 0 - 600 steps

Default range: 10 steps

| Configure | 425