Incidentally - what you describe sounds very much like RSA SecurID, where
the user's passcode consists of a PIN (from database) plus 6 digits from the
token.
Are you actually trying to implement SecurID for freeradius? Because if you
say so, someone might have a solution already.
Other options I didn't mention: external exec script; PAM.