Unfortunately, I had to find the following problems regarding OTP + SSL VPN (for me pretty useless regarding the provision feature):
General:
- User without (manual) first login (without existing OTP) are not supportet -> no login possible without OTP if in client is OTP is activated -> provisioning not usable (if the user has to login in the user portal first, why should i use the provisioning?)
- why is not just the QR code is showing in the client on first login?
Provisioning with OTP:
- a user (already has OTP) can not use provisioning without error on first login:
the client is login in the user portal, gets the config, direct after (!) the client tries to connect to the new SSL VPN -> login failed IN ANY CASE (as the name says OTP can used only one time), the client do (2) logins with provisioning (download the config and login again for connection) -> the DEVs ever testet?
- LOG during provisioning -> user portal logon OK + SSL VPN failed (within some seconds)
- no option to configure the client "do just one login and download the config without immediate connection"
- I can not tell the user "use the provisioning and login, just ignore the error message, but when you have a new OTP after 30 sec. you can connect"
- it is not possible to use the user portal without OTP and SSL VPN with OTP (or vice versa) -> provisoning (user portal + SSL VPN connection) can only use OTP for all or nothing
Version 2.2.90.1104 / XGS 19.5
Provisioning File:
[
{
"gateway": "vpn.gate.xxxxxx",
"user_portal_port": 443,
"otp": true,
"2fa": 1,
"can_save_credentials": true,
"auto_connect_host": false,
"can_save_credentials": true,
"check_remote_availability": false,
"run_logon_script": false
}
]
Quote