We are running FreeIPA 4.4 on Centos 7 and trying to use radius authentication.

Using radtest and radclient work fine and we can authenticate a user.

The radius proxy and secret are set to match the values from radclient.  The user has the radius check box checked and the other two fields set to appropriate values. hbactest shows that the user has permission for any host.  

When I do " su -l rsa-user", I'm requested for the first and second factors.  After I enter them, I get "su: Authentication failure".  Using a non-radius user works fine.

The sssd_pam log has

[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting user credentials)][idm.bbn.com]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]: Failure setting user credentials.

Unchecking the radius checkbox and the account works fine.

Any ideas what to try or look at next?