IAS agents for SA Server/IDConfirm 1000, all versions
When IAS agent receives an AAA request for an OTP authentication, the agent will ask SA Server/IDConfirm 1000 to authenticate the username/password/OTP. If the authentication fails the IAS agent, as a proxy RADIUS, forwards the authentication request to the next authentication dll (direct authentication to Active directory). With AD, a username+password is enough, and so AD will authenticate positively the request.
In order to deny authentication when submitting a wrong OTP, we can turn off the proxy radius, by changing a specific registry key:
HKLM\Software\Gemalto\SA Server\IAS Agent
Set the rejectOnError key to 1 (0 is the default)
Reboot the server to apply the change.