On Sat, Mar 30, 2019 at 01:27 Mike Jumper <mjumper@apache.org> wrote:

I'm not sure that it could be changed as implemented - basically it just copies the text provided by the RADIUS server in the Challenge part of the Challenge/Response as a way to be flexible about what the RADIUS server may be asking for.  While it may be a OTP in this case, there are other scenarios where you might ask for a PIN, or the answer to a security question, etc., so when I wrote it I was trying not to limit it to OTP scenarios, only.

That "Reply-Message = please enter otp:" string looks like something isn't being parsed right. Shouldn't it say "please enter otp:"?

Ahem.  Yes.  That deserves a bug in JIRA and a few minutes of work to clear up.