Per-User selectable Backend Authentication Server
There will be an securtiy leak if you use an second user authetication with the same usernames. For exampel: You use Active Diretory for the websecurity authetication and an Radiusserver for your OTP token to login to the userportal and vpn. The astaro will first check the AD and then the Radius server. So the user can use his AD password or his OTP to successfully login. It has to be possible to select the backendserver per userobject. This problem only applies for example if you use userobjects in your vpn configuration instead of the radiusgroup. But this is required if you want to build firewallrules on userobjects.
Elmar Haag commented
The normal way to achieve OTP-only authentication for VPN users is to use the pre-defined and automatically generated object "RADIUS users" in the VPN-configurations 'allowed users/groups'settings. Then no user can log in as VPN user by using his AD credentials.
This "RADIUS Users" group object is probably not well documented. We will generate a KB entry in the near future where this behaviour is decribed.
If you really want to use per-user packetfilter rules and these rules only may be applied if the user has logged in with the otp-password (but not with the AD password) then you probably have to use different usernames for "OTP-only" and "AD-only" authentication. Binding a backend authentication mechanism to a user object (as you escribe it) would not help you because then you would deactivate the possibility to authenticate a user with his AD-credentials as soon as you bind "RADIUS only-authentication" to a user object, which is probably not what you want.