The RADIUS server used to accept password followed by OTP but that no longer works.
In earlier versions of the SurePassID RADIUS server, users were allowed to input their password directly followed by the one-time password (OTP) without any separation. For instance, if a user had a password of "mypassword" and an OTP of "123456," they could simply enter:
mypassword123456
This method had several significant drawbacks, the most critical being that users could input the correct password but an OTP that was either too long or too short, resulting in an incorrect password entry. This often led to unnecessary Active Directory account lockouts, creating a frustrating experience for users and complicating support efforts for the help desk.
In the current version, users must input their password followed by the OTP, separated by a comma, as illustrated here:
mypassword,123456
If you require the RADIUS server to accommodate the previous OTP input format, please add the following line to the configuration file, just above the </radius> tag, as demonstrated below:
<UseOldStylePasswordOtp>TRUE</UseOldStylePasswordOtp>
</radius>
The system will recognize this setting during the next authentication request; however, please note that the format of Password,OTP will not be accepted.