challenge
Challenge action for sending challenge responses in multi-factor authentication
challenge
Instead of simply accepting or rejecting, the server responds with a challenge. This is used in multi-factor authentication scenarios where the client must provide additional credentials or perform extra steps before access is granted.
For RADIUS, this sends an Access-Challenge reply and waits for a follow-up request that carries the returned State attribute. This behavior is not TEAP-specific.
Syntax
challenge;
challenge "prompt message";
Client support
The server can issue a generic RADIUS challenge, but the client or NAS must know how to continue the exchange. Many simple PAP clients only perform one Access-Request and expect a final Access-Accept or Access-Reject.
Do not assume challenge is a portable way to collect a second factor or a follow-up credential separately. For example, if a deployment appends an OTP to the password in one PAP field, a more portable pattern is to collect both values in the same request and split them in the AAA pipeline instead of relying on an interactive Access-Challenge round-trip.
Message handling
When the challenge action includes a message, it sets the aaa.challenge-message variable. This is distinct from aaa.message, which is used for Accept/Reject responses:
aaa.challenge-messagecontains the one-time challenge prompt (e.g., "Enter password"). This message is consumed after use and not reused across authentication rounds.aaa.messagecontains persistent reply messages for Accept/Reject responses that remain available for logging.