RE: RADIUS PAP-SecurID Access-Challenge
I'm sorry,
The other day I said that there is nothing "unusual" about SecurID
RADIUS authentication. I'm so used to EAP, I forgot about the PAP auth
with a SecurID value as a password.
If the RSA Authentication Manager, finds that the token is in New Pin
or Next Tokencode mode, it will issue an Access-Challenge message with
the Reply-Message attribute explaining the next step.
The client is expected to display the text, and prompt the user, then
send another Access-Request with the response in the password
attribute. This exchange can continue through several steps, until an
Access-Accepted or -Rejected is received.
Only a few RADIUS test clients can actually deal with this. I don't
know (off the top of my head) which production clients we recommend.
Of course, for the best security the EAP-POTP method is our
recommended authentication protocol.
Dave.
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.