Authentication flow

[Sudarshan Soma]

Hi All,
I have three authentication modules
-- pam_radius_auth.so (for remote authentication)
-- pam_unix ( unix local authentication)
-- pam_opie (challenge/response)
and other accounting modules such as pam_abl, which does user lockout/iplocking.

I would like to choose a better authentication for access to my service:

These are my requirements/clarifications:

--  An intruder should not know how his authentication has failed(due
to user locking or IP address locking or  wrong passwd for remote
authenticaon or for local authenticaion ),  but only SecurityAdmin can
see them in logs. Intruder just gets error as LOGIN failed.
-- While logging to the service, should i allow user to specify
authentication type  such as challenge-response or local, if Radius
servers are not reachable. Will this cause any kind of break in secure
authentication process or does ti contrast with above.
I am thinking of this to help legitimate users to get logged into the service

I am kind of lost here, Can anyone please advise the better approach her.

Many Thanks