The VIP EG  fails to delegate the authentication to the secondary RADIUS server (delegation module) when the VIP validation server is setup for ULO (userID + LDAP password + OTP/security code) validation mode. Delegation seems to be working correctly when the validation server is setup for UO validation mode.

According to the documentation, the delegation is supposed to occur ONLY in the following circumstances:

1. The user is not in the User Store. See “Configuring User Stores”.
2. The user does not exist in the VIP Authentication Service.
3. The user exists in the VIP Authentication Service, but has no bound credentials.
4. The user account in the User Store for the user attempting validation is disabled.

ULO mode validation does not consult the user store.  Hence, this is working as designed.

If using version 9.3, removing the VIP credential bindings for the affected users, then restarting the service, will allow delegation to work. Versions newer than 9.3 will not support this.

For reference, the following are the cases where EG will delegate: