Splitting the password field in freeRADIUS
Drumm, Daniel
dgdrumm at bf.umich.edu
Thu Jan 25 20:51:37 CET 2007
Dan Geist explained what it was I am trying to do. His suggestion is the
way I will look, to use a perl module to split the authentication.
Time for some ASCII Art (bad)
NAS ---> FR
(this field passes the password via RADIUS/PAP, and is the securID
tokencode + kerberos pwd.)
( ex: user:jdoe pwd:549872MyPassword )
FR then splits the first 6 characters, and sends the authentication to
the RADIUS listener that RSA bundles with Auth Mgr 6.1.
FR ----> RSA-AuthMgr-RADIUS-listener
|
|-------> Campus Kerberos RADIUS server
It then sends the campus Kerberos password (i.e. MyPassword) to the
campus RADIUS server that front ends the Kerberos system.
Since RADIUS is an async network protocol, Freeradius will have to set
timers and wait for each to be successful before returning an accept to
the NAS for the RADIUS request which it proxied. As Dan explained, this
will probably be independent PAM calls to the two methods.
Could be tricky.
Dan @ UM.
----
Message: 2
Date: Tue, 23 Jan 2007 14:05:32 -0800 (PST)
From: Agent Smith <news8080 at yahoo.com>
Subject: Re: Splitting the password field in freeRADIUS
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <529131.95171.qm at web50915.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
I frontend our secureID server with FR. but that is
only doing PAP. The way I do this is radius proxy whre
the FR is running on the same box different port.
I don't understand what you are trying to do here. If
a user tried to authenticate you want the PIN to
authenticate on radius? and the rest somewhere else?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070125/041d84ad/attachment.html>
More information about the Freeradius-Users
mailing list