There may be some confusion with a user Transaction Report when the VIP Radius is setup in ULO mode with Radius Access Challenge mode enabled.
The 'beginAuthentication' operation may show a false negative with the message "Authentication failed", but the user succeeds with the 'continueAuthentication' operation.
VIP Radius in ULO Mode with "Radius Access Challenge" mode enabled
The radius server is setup for ULO mode (Username + Password + OTP code). We are essentially doing both the first factor (AD username + password) and second factor (username + OTP code). By design, our radius expects all 3 at one time. The user is expected to input the username in the first field, and the password+OTP code in the same line for the second field.
Here is how the flow works for this type of setup:
*Note: This is why sometimes you may see that the 2FA succeeded, but we are still awaiting first factor response in the Transaction Reports
Working as designed. Radius Access Challenge mode is needed if you want the user to input the VIP code in a separate "pop-up" window after they input the first factor credentials. It is also often necessary if you use PUSH, SMS, or Voice for 2FA delivery.