I’m not sure what you mean by “auth backend”. By default, the client merely has to prove that it possesses the correct key to be given the secret encrypted password from the Mandos server. This can be changed by configuring the server not to automatically “approve” clients, which makes the whole procedure controllable over D-Bus, opening the way for any process you like to do whatever it needs to do in order to authenticate a client before the secret encrypted password is sent.