I'm sorry, The other day I said that there is nothing "unusual" about SecurID RADIUS authentication. I'm so used to EAP, I forgot about the PAP auth with a SecurID value as a password. If the RSA Authentication Manager, finds that the token is in New Pin or Next Tokencode mode, it will issue an Access-Challenge message with the Reply-Message attribute explaining the next step. The client is expected to display the text, and prompt the user, then send another Access-Request with the response in the password attribute. This exchange can continue through several steps, until an Access-Accepted or -Rejected is received. Only a few RADIUS test clients can actually deal with this. I don't know (off the top of my head) which production clients we recommend. Of course, for the best security the EAP-POTP method is our recommended authentication protocol. Dave.