Hello again. As you pointed out. there still appears to be a configuration for requiring OTP. If it was sent for LDAP authentication, then it should not be be asking for OTP. Why does the screen still show this? If you disabled this requirement, then I believe the FW would work. If you need OTP, then when you pass whatever OTP or creds, you are sending them TO the the Radius server. You can try to config local authentication (Device ==> Local Users) and create an Auth Profile that points to the Local Users. Do this as test. If you can authenticate locally, but cannot when you implement Radius, then you would come to the conclusion that it is the external authentication profile that is preventing access. The best and recommended course, is to purchase a Global Protect gateway subscription license, ideally, this is the proper way to implement Global Protect for mobile devices. The XAuth was really for Linux machines.
... View more