Just to add more meat to this answer I just got this going as well. Here's what I did to setup Google auth as a secondary password on our SA4500. I use AD credentials for the 1st factor.
Setup a server on Ubuntu 12.04 LTS with Freeradius
Best link I found was: Gauth w/ FreeRADIUS
One thing to be careful is to compile google-authenticator from source and make sure you link PAM to it. Add this line to the Makefile above the line VERSION := 1.0
LDFLAGS="-lpam"
Once this is compiled and installed follow the instructions up to where the modification to /etc/pam.d/radiusd is:
Unless you also want to authenticate with local users from your server and the gauth code as an addition to the server password only put in the following:
auth requisite pam_google_authenticator.so
Comment out everything else.
At this point you're almost ready to test, you'll have to create the same user that would authenticate to AD, on your local server and run google-authenticator on it then scan the resulting QR code into your phone with the Gauth app.
On the SA I added a new RADIUS Auth server put in the hostname or IP of your FreeRadius server with the shared secret you created. I also clicked off 'Users authenticate using tokens or one-time passwords'.
I then created a realm called OTP
In the general tab, I setup the Authentication as my AD server and then checked off 'Additional authentication server'
I chose my new RADIUS server from the drop-down
Username is: predefined as: <USERNAME> (you don't want your domain info going to RADIUS)
Password is: specified by user on sign-in page
As a last cosmetic change I went into the Default Sign in Page and checked off 'Prompt the secondary credentials on the second page' so that the user experience is the same from the old way of doing things and the user is only prompted for the OTP once succeeding through the initial AD authentication.
Hope this helps out a bit more.
--Dave
