When I use LDAP loginmode - it works fine and vpn connection is being established.
But if I switch to LDAPOTP login mode it treats the request as "EAP-GTC Wifi access request" and disables OpenOTP challenge mode.
What I'm missing out ? Please help.
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] New openotpSimpleLogin SOAP request
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Username: testuser
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Password: xxxxxxxx
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Client ID: 212.XX.XXX.XX
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Source IP: 212.XXX.XXX.XX
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Retry ID: 1F678E1A6881A7B396C419B0692CC596A9BA2715
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Settings: OpenOTP.ChallengeMode=No
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] > Options: RADIUS,-U2F
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Enforcing client policy: anyconnect (matched client ID)
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Registered openotpSimpleLogin request
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Resolved LDAP user: cn=testuser,dc=Clients,dc=WebADM
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Resolved source location: BY
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Started transaction lock for user
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found user fullname: testuser
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found user language: EN
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 user mobiles: +XXX XXXXXXXX
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 user emails: xx...@xxxxx.xxx
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 46 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 request settings: ChallengeMode=No
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 4 user data: LastOTP,TokenType,TokenKey,TokenState
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Last OTP expired 2020-01-23 14:41:38
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Found 1 registered OTP token (TOTP)
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Challenge mode disabled (assuming concatenated passwords)
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Requested login factors: LDAP & OTP
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] LDAP password Ok
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Challenge required but challenge mode disabled
[2020-01-23 14:42:26] [127.0.0.1] [OpenOTP:10DU5M23] Sent failure response
(0) Service-Type = Login-User
(0) Cisco-AVPair = "service-type=Login"
(0) Cisco-AVPair = "isakmp-phase1-id=eap"
(0) Calling-Station-Id = "212.XX.XXX.XX"
(0) Cisco-AVPair = "audit-session-id=L2L45CDF7ACAZO2L4D462AD0BZH11941273H2H2Y357D"
(0) User-Name = "testuser"
(0) Cisco-AVPair = "coa-push=true"
(0) EAP-Message = 0x023b000d017465737475736572
(0) Message-Authenticator = 0xa94a9d7888ae1a2a9978e3b573121517
(0) NAS-IP-Address = 10.141.64.14
(0) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini
(0) authorize {
(0) eap: Peer sent EAP Response (code 2) ID 59 length 13
(0) eap: Continuing tunnel setup
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /opt/radiusd/lib/radiusd.ini
(0) Auth-Type EAP {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 60 length 6
(0) eap: EAP session adding &reply:State = 0xa82519b2a8190cfc
(0) [eap] = handled
(0) } # Auth-Type EAP = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) EAP-Message = 0x013c00061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xa82519b2a8190cfc3b14c3237ae31d97
(0) Finished request
Waking up in 9.9 seconds.
(1) Service-Type = Login-User
(1) Cisco-AVPair = "service-type=Login"
(1) Cisco-AVPair = "isakmp-phase1-id=eap"
(1) Calling-Station-Id = "212.XX.XXX.XX"
(1) Cisco-AVPair = "audit-session-id=L2L45CDF7ACAZO2L4D462AD0BZH11941273H2H2Y357D"
(1) User-Name = "testuser"
(1) Cisco-AVPair = "coa-push=true"
(1) EAP-Message = 0x023c00060306
(1) Message-Authenticator = 0x504df3557baf8411cfc27bbdc3ea9ce9
(1) State = 0xa82519b2a8190cfc3b14c3237ae31d97
(1) NAS-IP-Address = 10.141.64.14
(1) session-state: No cached attributes
(1) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini
(1) authorize {
(1) eap: Peer sent EAP Response (code 2) ID 60 length 6
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /opt/radiusd/lib/radiusd.ini
(1) Auth-Type EAP {
(1) eap: Expiring EAP session with state 0xa82519b2a8190cfc
(1) eap: Finished EAP session with state 0xa82519b2a8190cfc
(1) eap: Previous EAP request found for state 0xa82519b2a8190cfc, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type GTC (6)
(1) eap: Calling submodule eap_gtc to process data
(1) eap_gtc: EXPAND Password:
(1) eap_gtc: --> Password:
(1) eap: Sending EAP Request (code 1) ID 61 length 15
(1) eap: EAP session adding &reply:State = 0xa82519b2a9181ffc
(1) [eap] = handled
(1) } # Auth-Type EAP = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) EAP-Message = 0x013d000f0650617373776f72643a20
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xa82519b2a9181ffc3b14c3237ae31d97
(1) Finished request
Waking up in 9.9 seconds.
(2) Service-Type = Login-User
(2) Cisco-AVPair = "service-type=Login"
(2) Cisco-AVPair = "isakmp-phase1-id=eap"
(2) Calling-Station-Id = "212.XX.XXX.XX"
(2) Cisco-AVPair = "audit-session-id=L2L45CDF7ACAZO2L4D462AD0BZH11941273H2H2Y357D"
(2) User-Name = "testuser"
(2) Cisco-AVPair = "coa-push=true"
(2) EAP-Message = 0x023d000d065465737431323334
(2) Message-Authenticator = 0x9d5b532e871606f6c53728b6fe4fdd85
(2) State = 0xa82519b2a9181ffc3b14c3237ae31d97
(2) NAS-IP-Address = 10.141.64.14
(2) session-state: No cached attributes
(2) # Executing section authorize from file /opt/radiusd/lib/radiusd.ini
(2) authorize {
(2) eap: Peer sent EAP Response (code 2) ID 61 length 13
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /opt/radiusd/lib/radiusd.ini
(2) Auth-Type EAP {
(2) eap: Expiring EAP session with state 0xa82519b2a9181ffc
(2) eap: Finished EAP session with state 0xa82519b2a9181ffc
(2) eap: Previous EAP request found for state 0xa82519b2a9181ffc, released from the list
(2) eap: Peer sent packet with method EAP GTC (6)
(2) eap: Calling submodule eap_gtc to process data
(2) eap_gtc: # Executing group from file /opt/radiusd/lib/radiusd.ini
(2) eap_gtc: Auth-Type PAP {
rlm_openotp: Found EAP-GTC Wifi access request (disabing OpenOTP challenge mode)
(2) openotp: WARNING: No "known good" password found for the user.
rlm_openotp: Found client ID attribute with value "212.XX.XXX.XX"
rlm_openotp: Found source IP attribute with value "212.XX.XXX.XX"
rlm_openotp: Found device ID attribute with value ""
rlm_openotp: Found client IP attribute with value ""
rlm_openotp: Sending openotpSimpleLogin request
rlm_openotp: OpenOTP authentication failed
rlm_openotp: Reply message: Invalid username or password
rlm_openotp: Sending Access-Reject
(2) eap_gtc: [openotp] = reject
(2) eap_gtc: } # Auth-Type PAP = reject
(2) eap: ERROR: Failed continuing EAP GTC (6) session. EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 61 length 4
(2) eap: Failed in EAP select
(2) [eap] = invalid
(2) } # Auth-Type EAP = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Login incorrect (eap: Failed continuing EAP GTC (6) session. EAP sub-module failed): [testuser] (from client any port 0 cli 212.XX.XXX.XX)
(2) Reply-Message := "Invalid username or password"
(2) Error-Cause := 25238512
(2) EAP-Message = 0x043d0004
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) Finished request