I've been using the EAP for a bit and it's working well. One thing, it doesn't have a typical window minimize button and sometimes it will take up the whole screen. One other thing, the Client Connect policy does not have the "disconnect when tunnel is idle" option selected but it will drop connection and prompt for the OTP from time to time (several hours).
The ability to save username/password then only subsequently prompt for the OTP is pretty cool. I think users will like that.
my understanding is that otp prompting at 4 hour intervals is hardcoded with the ipsec configuration and not tied to the idle disconnect interval setting.
"Hardcoded" in that the ipsec config/OTP timeout can't be configured?