I have a cluster XL R80.10 with mobile access and dynamic ID enabled. The users are simple checkpoint password, but I want migrate them to radius.
That's is not a problem, authentication with radius works very well.
I don't know how to replace dynamic ID with external OTP. I want a first step authentication with radius: user and password and the second step with OTP verified on external system (for example google authenticator), don't generated by checkpoint and sent to sms gateway.
I can only do a single step authentication, user and password+otp.
With password+otp I can't enable MsChapV2, but I must use pap (insecure).

Suggestions?
Thank you for your help.