The documentation says the following:
The current version of the MaxScale PAM authentication module only supports a simple password exchange. On the client side, the authentication begins with MaxScale sending an AuthSwitchRequest packet. In addition to the command, the packet contains the client plugin name dialog, a message type byte 4 and the message Password:. In the next packet, the client should send the password, which MaxScale will forward to the PAM API running on the local machine. If the password is correct, an OK packet is sent to the client. No additional PAM-related messaging is allowed, as this would indicate a more complicated authentication scheme.
Some users would like MaxScale to support PAM authentications that involve more than a single simple password exchange. For example, some PAM configurations require two inputs to login--a regular user-set password, and a 2FA token from a service like Google Authenticator or RSA SecurID.