The RADIUS server is setup for ULO mode (Username + Password + OTP code). We are essentially doing both the first factor (LDAP username + password) and second factor (username + OTP code). By design, our RADIUS expects all 3 at one time. The user is expected to input the username in the first field, and the password+OTP code in the same line for the second field. If the password and security code fields are on the same page, it is effectively sending the password+OTP in the same way. 

Here is how the flow works for this type of setup:

1. When we receive an authentication request, we use the username for both LDAP username and VIP userID (VIP Manager name). We then test the password input against the VIP cloud services to see if the user did include the OTP code from a VIP Credential. We automatically truncate the last 6 digits of the password input and test to see if it was a valid OTP code. This gets logged as a beginAuthentication. If a valid security code was entered, the transaction shows as Success and move to step 3 below
   
   
2. If the last 6 digits are not a valid OTP code, the VIP Cloud assumes the user intentionally did not include the OTP code with their password, and the beginAuthentication transaction fails (as expected) with error Authentication failed. This response invokes the Validation Server or JavaScript integration script to issue an Access-Challenge by sending a PUSH notification or prompting the user to input an OTP code from their VIP Credential ID, SMS, or Voice code. The 60-second timeout keeps the RADIUS request alive and gives the user time to receive/respond to the access challenge.
   NOTE: beginAuthentication will show Authentication failed if the LDAP password contains any digits. This is expected and does not increment the invalid password count. 
3. If the security code is validated, second-factor is complete. The security code is stripped and the residual password is sent to LDAP complete first-factor validation. If beginAuthentication fails, the entire password is sent to LDAP.
   
   
4. After the user responds to the Access-Challenge, VIP Manager log that as the continueAuthentication results and the RADIUS waits for both first factor and second factor responses before responding to the application that the user succeeded or failed authentication. Authentication failed indicates an invalid LDAP password was used. 

*Note: This is why sometimes you may see that the 2FA succeeded, but we are still awaiting first factor response in the Transaction Reports.

This is working as designed. RADIUS Access-Challenge mode is needed if you want the user to input the VIP code in a separate "pop-up" window after they input the first factor credentials. It is also often necessary if you use PUSH, SMS, or Voice for 2FA delivery. (If one of these other OTP methods are used, it will be seen in the VIP Manager logs.)