Username sure, but i mean when use VPN, the fist authen by User & Password Ldap instead of User & PIN then 2nd authen is OTP. Anyway in Policy i seen option otppin (Either use the Token PIN , use the Userstore Password or use no fixed password component.) but it can not work or how it work ?