Core issue
This issue is due to the presence of Cisco bug ID CSCin91851.
In this issue, when you use the router as an Secure Shell (SSH) server that authenticates to an SDI/radius backend, normal authentications work. But, neither the new PIN mode nor the Next Token mode dialogues complete successfully.
This issue is only observed in New PIN mode or Next Token mode dialogue.
Resolution
For a temporary workaround, use Telnet for authentication or set virtual
terminal (vty) lines to authenticate to the Radius (non-SDI) server instead.
In order to permanently resolve this issue, upgrade the router to Cisco IOS Software Release 12.4(10.1)T. Use the Cisco IOS Upgrade Planner in order to download the suggested image.
Cisco IOS Software Version
12.4
Cisco Secure Access Control Server (ACS)
Cisco Secure ACS Solution Engine
Cisco Secure ACS for Windows