MFA for VPN doesn't accept Google Authenticator OTP

MFA for VPN doesn't accept Google Authenticator OTP

Dear Community,

as I don't get an answer via Ticket, hopefully you could help me.

I configured and installed everything accordingly to
https://www.manageengine.com/products/self-service-password/help/admin-guide/Configuration/Self-Service/mfa-for-vpn-logins.html

Checkpoint VPN Client asks for Google Authenticator OTP but unfortunately doesn't establish the VPN connection after entering the current OTP.
I'm getting the error "Access denied - wrong username or password"

Additionally I tried entering the only one configured policy for "CRPolicies" and "NetworkPolicies" on RADIUS Server Registry under "HKEY_LOCAL_MACHINE\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension".
Checkpoint VPN Client haven't asked for Google Authenticator OTP after this change although the user which I tried to connect is in a selected Active Directory Securitygroup.

My questions are:
- What could be the problem as it's not possible to establish a VPN connection when entering the right OTP from Google Authenticator?
- Why is Checkpoint Client not asking for OTP when a Policy is entered at CRPolicies or NetworkPolicies where the used User is part of a selected Active Directory Securitygroup?
- What's the difference between CRPolicies and NetworkPolicies (as I could find any documentation about this topic)?

Thank you in advance.
Br, Thomas