AWS - Microsoft ActiveDirectory // FreeRadius (Google MFA)

Hello,

I almost finish to setup my VPN with ActiveDirectory FreeRadius (MFA google authenticator), I have one issue .. I generated QR code for my Ad User and I scan it, when OpenVPN asking my OTP i have this following error

pam_winbind(google-authenticator:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: The attempted logon is invalid. This is either due to a bad username or authentication information.

So my password + otp isn't working

Inside/etc/pam.d/radiusd :

auth requisite /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so forward_pass

auth required pam_unix.so use_first_pass

I am little bit lost... i double checked OTP code and its good, so why pam isn't connecting ?

Thanks