Strange Challenge behaviour


i’ve got some strange behaviour with the freeRadius-Auth an a Forti SSLVPN-Portal.
I get the Users from an AD/LDAP-Resolver.
I set this authentication-policy: [challenge_response: totp yubico yubikey, otppin:tokenpin] and it works perfectly with Google Authenticator (TOTP). But its not working if I try a Yubico-Token or with otppin: userstore.

Yubico is not the real problem, but for SSO I need the Userpassword…

Hope somebody can help.

It could be, that the yubico token type (which I absolutely would recommend to not use) does not support challenge-response.

TOTP as challenge response with otppin=userstore works fine.