The following restrictions apply to users of on-demand tokencodes:
Users cannot perform trusted-realm authentications.
Users cannot authenticate using an alias, except when authenticating through an authentication agent.
The PIN for an on-demand tokencode should not be the same as a fixed passcode assigned to the user.
EAP32-enabled authentication agents do not support on-demand tokencodes.
On-Demand Authentication with an Authentication Agent or a RADIUS Client