I am trying to get VPN Radius authentication working with Gemalto SAS/STA cloud solution where I have a push token in use. This means I have two ways of authenticating:

- I open the token on my mobile and enter the display code when asked by VPN client for challenge

- instead of entering the code into the VPN, I can enter "p" so a push to my mobile is sent and can be accepted there.

Both versions work fine if I use multiple login options and first option is username/password and second is Radius.

But if I only use Radius only first option is working (entering code manually). Other option is failing with "negotiation with site failed".

I did a capture on the gateway with tcpdump to look for Radius traffic and found out that if I only enter a "p", there is no traffic to the radius servers generated. 

Has someone an idea who to cope with that?

I have tested this with R80.30 SmartCenter and following gateway versions:

- R80.30 JHF T50

- R80.10 JHF 169 + machine certificate authentication hotfix