BugZero found this defect 311 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
7/13/2023
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
All
Fireware
12.x
12.7.x
All
In Fireware v12.7 and higher, the Mobile VPN with SSL client (Windows and MacOS) might send the one-time password (OTP) prompt of a user as a password when it authenticates the user to a Firebox configured to use the AuthPoint authentication server. Because the OTP prompt is not the password of the user, this can cause authentication to fail.This issue occurs when a user re-authenticates after a disconnect and uses an AuthPoint policy that supports both Password + Push and Password + OTP authentication types. The Mobile VPN with SSL client mistakenly views the new connection as a continuation of the previous session, and views the OTP prompt as the password of the user.
If the Mobile VPN with SSL client fails to authenticate, close and reopen it. This forces the Mobile VPN with SSL client to view the next authentication request as a new authentication.If this issue affects multiple users, you can limit the AuthPoint authentication policy to only Password + Push or Password + OTP. If you have users who must use different multi-factor authentication (MFA) types to support hardware tokens, you can create two AuthPoint authentication policies that are based on user and group memberships.