Issue
In Fireware v12.7 and higher, the Mobile VPN with SSL client (Windows and MacOS) might send the one-time password (OTP) prompt of a user as a password when it authenticates the user to a Firebox configured to use the AuthPoint authentication server. Because the OTP prompt is not the password of the user, this can cause authentication to fail.This issue occurs when a user re-authenticates after a disconnect and uses an AuthPoint policy that supports both Password + Push and Password + OTP authentication types. The Mobile VPN with SSL client mistakenly views the new connection as a continuation of the previous session, and views the OTP prompt as the password of the user.
Workaround/Solution
If the Mobile VPN with SSL client fails to authenticate, close and reopen it. This forces the Mobile VPN with SSL client to view the next authentication request as a new authentication.If this issue affects multiple users, you can limit the AuthPoint authentication policy to only Password + Push or Password + OTP. If you have users who must use different multi-factor authentication (MFA) types to support hardware tokens, you can create two AuthPoint authentication policies that are based on user and group memberships.
