Hi Brian,
the RADOIS module
privacyidea_radius.pm is pretty dumb. It simply forwards the data the user entered and which was sent to the RADIUS server in User-Name and User-Password to the /validate/check endpoint.
Everything else is determined by the privacyIDEA server.
The default behaviour is, that the user passes a
OTP-PIN + OTP value
This can be changed to
LDAP-Password + OTP value
Under certain conditions this can also be a challenge response. In most cases challenge response is not necessary. (Only for SMS and Email).
In the challenge response case the /validate/check endpoint first takes the static password. If it is correct it then expects the OTP value.
This is the case even without any RADIUS involved.
If the RADIUS is involved, it will return an Access-Challenge. Rougly speeking the
privacyidea_radius.pm is just a protocol translator.
Kind regards
Cornelius