We use Sophos UTM 9.7 as our Gateway. It is connected to our Active Directory via LDAP.
When a user logs into our VPN portal, the user is created automatically in our gateway with their AD credentials.
In the Authentication Services --> Global Settings, "End User Portal" is activated.
We have One-Time Password activated and we Drag and Drop any new User into the "Authentication Settings"
"Auto-create OTP tokens for users" is activated.
Afterwards any user, which is dragged in, gets a QR code to scan with an Authentication App. Then They login by adding the 6-digit code to their usual Password.
Now to the Problem:
We have 2-3 Users, created completely equal to all the others, for which the 6 digit code doesn't work. After Scanning the QR code, the Authentication App shows a 6 digit code, but any conceivable way of entering it, results in "invalid username/password (or access denied by policy)".
We deleted the users from the Gateway, let them login to our End User Portal again and do redo the whole procedure. Sadly, this resulted in the same Error. Wrong Password/Username is already ruled out, since we tested it on site as well.
Is there any way to get a more detailed explanation on why the login didn't work?
I've seen this once before.
The problem (in this instance) was with the device (mobile phone) that had the authentication app installed. The mobile phone was not set to get the date and time from the network provider. So if the date and time was slightly out on the mobile phone, then the 6 digit rolling code would be wrong.
So changing the mobile phone to automatically update the date and time with the network provider fixed the issue.
I hope this helps.