FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
ksk2 at gmx.net
Fri Nov 30 14:57:17 CET 2018
we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
1) Password change in OpenLDAP via FreeRADIUS
FreeRADIUS is connected to an OpenLDAP via the LDAP-module.
We also have Cisco-Devices connected to a tac_plus-Server (http://www.pro-bono-publico.de/projects/tac_plus.html) also using OpenLDAP as backend. In this setup the users can change their LDAP-password via the router's login-prompt after successful authentication with the old password.
Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?
2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
Is there a way to handle this in FreeRADIUS?
It would be great if you could point me in the right direction for both use cases and tell me what modules or unlang-statements we could try out to solve this.
Thanks and best wishes
More information about the Freeradius-Users