FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok aland at
Fri Nov 30 15:51:20 CET 2018

On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2 at> wrote:
> we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
> 1) Password change in OpenLDAP via FreeRADIUS
> ...
> Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?

  It's only TACACS+.

  The good news is that v4 should have a TACACS+ front end.  It was working a few months ago, and then we did some rearchitecture.  So it doesn't work today.  But it's likely only a few days to get it working again.

> 2) Next-Token-Mode for RSA SecurID
> We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
> Is there a way to handle this in FreeRADIUS?

  Sure.  There's an rlm_securid module in the server.  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list