Enable OTP
mrshahin
Newbie ✭
Hi,
How can I enable the OTP via mail for the default admin account on sonicwall nsa 3650?
I know already that I can create a new local account and then enable the OTP for this new account but I dont know how to do this with default admin account.
Any suggestion?
Thanks
Category: Firewall Management and Analytics
0
Best Answer
-
CORRECT ANSWER
shiprasahu93
Moderator
Yes, that is correct. You can bind the local admin account with an authenticator on phone/PC and use the generated code on that authenticator to complete the MFA.
Please refer to the KB below for more details.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
1
Answers
@mrshahin,
For OTP via mail, we need to associate a username with an email address and we cannot do that with the built-in admin account. We can enable TOTP for the admin account though. Otherwise, you can create a local user, add it to SonicWall Administrators Group and then enable OTP via mail on it.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93 Thanks as always for your reply,
If I understood this correctly the TOTP will works as MFA for the local admin account and we can use it instead of OTP that send each time a rendom genrated number. correct?
Thanks
If you create a 'new' admin account to use OTP via email how do you disable the built in admin as not having OTP on that account defeats our purpose of enabling.
Thanks
I'm with @PPI_MIS ...
If the built-in "admin" account cannot have TOTP associated with an email address, how might multiple people access these devices if/when such use of the account is required? Each engineer is assigned their own local account, but in the event it's needed, this built-in admin account w/could be used as the backup. Disabling TOTP on this account altogether isn't the solution. Using G/MS auth apps isn't glamorous...AFAIK, you can only register the key against a single device.
Short of buying into a "single/shared" device in which to maintain keys for each built-in admin account, how do we secure our firewall(s) without requiring one (of many) individual to be responsible for these keys?
Maybe that's the point? What are others doing?
@PPI_MIS @abhits Did you ever figure out a solution for this? Why can we not disable the built in admin account? This limitation really seems to defeat the entire idea behind MFA on user accounts.
Otherwise, how do I even go about enrolling the admin user in MFA?
From my understanding it's always best practice to have a break glass account without MFA. If mfa stops working for whatever reason you'll need some type of management access. Make the default admin account a lengthy password and never use it.
you can create a secondary account with admin role and have that use MFA.
Went through MFA/2FA very recently.