I try to setup the Connect Client with OTP. If I use only Username and Password for authentication everything works fine. Now I generated an OTP Token for the Sophos Authenticator App and tested it on WebAdmin with “OTP time-offset synchronization” and I get the Message “This token is in sync”. Everything is OK.
Now I enabled “Prompt users for 2FA token” in the IPSec settings on Firewall and imported the new configuration in the Connect Client. The client asks for Username, Password, and token. If I enter all the information, I get this error message on Firewall:
“User ben failed to login to VPN though Local authentication mechanism because of wrong credentials”
Firewall is running on 18.5.1 and Connect Client is 2.1.20.0309. WAN site of Firewall is behind an NAT Gateway and Port 500/UDP and 4500/UDP are forwarded from Router to Firewall.
Has anybody an idea what’s going wrong?
at authentication / OTP ...
.. do you enable OTP for this (or all) user?
.. do you enable OTP for IPsec remote access?