Incidentally - what you describe sounds very much like RSA SecurID, where the user's passcode consists of a PIN (from database) plus 6 digits from the token. Are you actually trying to implement SecurID for freeradius? Because if you say so, someone might have a solution already. Other options I didn't mention: external exec script; PAM.