openvpn with otp set but not being required to authenticate

[jmcgon]

opnsense 23.1.11
I have openvpn set with server mode set to Remote Access (SSL/TLS + User Auth) set.  According to the instructions I have this should require users access via vpn to enter their user name and then their local password + OTP.  When a person provides these credentials it does work.  However, a person can also access via vpn by just providing user name and password.  OTP is not required, but will use it.

In the log files I see the following errors, repeatedly.

2024-09-18T03:56:30   Error   openvpn_server1   ipaddress:59919 TLS Error: TLS handshake failed   
2024-09-18T03:56:30   Error   openvpn_server1   ipaddress:59919 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

When I search for the above error I see references to firewalls blocking the establishment of communication but in my case this error doesn't seem to apply since the vpn connection is made and functions.  So, the TLS handshake error doesn't seem to lend evidence on why the OTP is accepted but not required.

I'm confused...  ???

All suggestions and help appreciated.

[itandautomation]

In the VPN Settings at Authentication, you have to change from
Local database to
Local Database with OTP
to make user of the second factor.

[jmcgon]

This the only place I can find to set to local database + otp and it is set.  Unless I am missing something else.