This option will cause Safeguard to send a Radius Access-Request packet with only a User-Name attribute, to the Radius server prior to Safeguard asking for a OTP.
This can be useful if the Radius server is using custom prompts, for example suggesting keywords such as SMS, PHONECALL etc.
(Please note, as a password is not included in the Access-Request this may cause some Radius servers to show an error instead.)
More information from the documentation:
"PreAuthenticate for Challenge/Response: If selected, an Access-Request call containing only the User-Name is sent to the Radius server prior to the user's authentication attempt. This is done to inform the Radius server of the user's identity so it can possibly begin the authentication process by starting a challenge/response cycle. This may be required to seed the user's state data. In addition, the Radius server's response may include a login message that is to be displayed, which is specific to that user.
If the Radius server is not configured to respond with an Access-Challenge, then this will cause the log in to fail and the user will be unable to proceed. This setting is only applicable when using Radius as a secondary authentication provider. The setting has no effect if enabled on a primary authentication provider."