FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm" ksk2 at
Fri Nov 30 14:57:17 CET 2018

Hello everyone

we are successfully using FreeRADIUS for some time now. Now we have two more requirements:

1) Password change in OpenLDAP via FreeRADIUS

FreeRADIUS is connected to an OpenLDAP via the LDAP-module.

We also have Cisco-Devices connected to a tac_plus-Server ( also using OpenLDAP as backend. In this setup the users can change their LDAP-password via the router's login-prompt after successful authentication with the old password.

Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?

2) Next-Token-Mode for RSA SecurID

We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.

Is there a way to handle this in FreeRADIUS?

It would be great if you could point me in the right direction for both use cases and tell me what modules or unlang-statements we could try out to solve this.

Thanks and best wishes


More information about the Freeradius-Users mailing list