I am convinced this is another "problem in the making" because of the vendor's choice of vernacular.
Most people think of setting and resetting MFA, and that is what they will search for. However, they will never find the aforementioned KB article because it does not use those keywords.
Some technicians think of bind and unbinding a device, and that is what SonicWall has selected to use.
I would never pass the SW exam because I can't be bothered keeping track of this kind of nonsense.
If you've got the group synced with LDAP then the quickest way to do this is delete the user from the firewall. The user gets created the first time they log in and bind their TOTP. You would lose any manual permissions you might have set on the user, but we don't do that so it's not an issue.
hello @Arkwright, could you detail how doing this "the quickest way to do this is delete the user from the firewall"? On a 7.1.1, I have the AD Group mirrored from the Active Directory and member of SSL VPN Services. On the Group is enabled TOTP.
User is correctly recognized by the AD and assigned privileged SSL access, but is only present in the Status (User and SSL) that allow me only to kick him off, not delete him.
So I miss the operation to delete such user in order to unbind the TOTP assigned.
There seems to be a refresh problem because the user does not show unless i import the user from ldap in order for all new users to show up/refresh. I can then delete with little trash can.
i'm using latest OS with TZ570 and i import users from Windows LDAP Group for my SSL VPN authorized users, with TOTP activated for group.
i do import a group since i cant seem to be able to import users directly from a group (that would probably make management easier).
What are you trying to do? If you are only importing groups and not users, then the users will not appear in the user list [bug or not bug] until after they have logged in [and possibly, not until they have enrolled TOTP].
My turnaround is to import a test user and this makes appear all new enrolled TOTP users.
Maybe this might help other people.
Thank you for your feedback :-)
NB i used to use ipsec GVC wich was fast and idle timeouts was flawless. But needed mfa…and radius server + forwarding email services in order to keep using GVC seemed problematic "support wise".
Answers
@rgr is this KB-article not what you're looking for? Follow the steps to unbind the TOTP.
--Michael@BWC
I am convinced this is another "problem in the making" because of the vendor's choice of vernacular.
Most people think of setting and resetting MFA, and that is what they will search for. However, they will never find the aforementioned KB article because it does not use those keywords.
Some technicians think of bind and unbinding a device, and that is what SonicWall has selected to use.
I would never pass the SW exam because I can't be bothered keeping track of this kind of nonsense.
If you've got the group synced with LDAP then the quickest way to do this is delete the user from the firewall. The user gets created the first time they log in and bind their TOTP. You would lose any manual permissions you might have set on the user, but we don't do that so it's not an issue.
hello @Arkwright, could you detail how doing this "the quickest way to do this is delete the user from the firewall"? On a 7.1.1, I have the AD Group mirrored from the Active Directory and member of SSL VPN Services. On the Group is enabled TOTP.
User is correctly recognized by the AD and assigned privileged SSL access, but is only present in the Status (User and SSL) that allow me only to kick him off, not delete him.
So I miss the operation to delete such user in order to unbind the TOTP assigned.
You aren't deleting them from SSLVPN.
Users > Local Users & Groups
Delete the user. The next time they connect, they will be prompted to enroll MFA.
There seems to be a refresh problem because the user does not show unless i import the user from ldap in order for all new users to show up/refresh. I can then delete with little trash can.
i'm using latest OS with TZ570 and i import users from Windows LDAP Group for my SSL VPN authorized users, with TOTP activated for group.
First: just import groups, not users. Easier to manage, unless you have a tiny number of users.
Second: There is/was a bug in gen7 where the list of users is empty, and then if you put something in the search box, the users will appear.
Tried your search box trick but did not do it for me…bummer
i do import a group since i cant seem to be able to import users directly from a group (that would probably make management easier).
bug seems to still be alive because i just updated my firmwares last week (i have a couple sites/TZ570).
What are you trying to do? If you are only importing groups and not users, then the users will not appear in the user list [bug or not bug] until after they have logged in [and possibly, not until they have enrolled TOTP].
My turnaround is to import a test user and this makes appear all new enrolled TOTP users.
Maybe this might help other people.
Thank you for your feedback :-)
NB i used to use ipsec GVC wich was fast and idle timeouts was flawless. But needed mfa…and radius server + forwarding email services in order to keep using GVC seemed problematic "support wise".
It's annoying, GVC is much better performing than SSLVPN, but Sonicwall have lost interest in developing GVC, so we struggle along with SSLVPN.