Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
ksk2 at gmx.net
Fri Nov 30 16:24:39 CET 2018
thanks for your reply.
Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
some that are Radius-only.
I did not find the rlm_securid-module in my installation. Do I have to
compile it myself? Is there a documentation somewhere? Does the module
use the proprietary protocol from RSA or Radius?
Thank you and best wishes
Gesendet: Freitag, 30. November 2018 um 15:51 Uhr
Von: "Alan DeKok" <aland at deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2 at gmx.net> wrote:
> we are successfully using FreeRADIUS for some time now. Now we have
two more requirements:
> 1) Password change in OpenLDAP via FreeRADIUS
> Can we implement password changes with FreeRADIUS as well when the
NAS supports this or is this a TACACS+-only feature?
It's only TACACS+.
The good news is that v4 should have a TACACS+ front end. It was
working a few months ago, and then we did some rearchitecture. So it
doesn't work today. But it's likely only a few days to get it working
> 2) Next-Token-Mode for RSA SecurID
> We are using Two-Factor-Authentication with FreeRADIUS and RSA
SecurID. FreeRADIUS / unlang splits the password string in two parts
and is sending the last 6 digits as Token to the RSA SecurID Server via
Radius for validation. This works fine. However, in rare conditions a
re-sync of the Token-device may be necessary so that the RSA SecurID
Server is prompting for the next Token. Access-Challenges are used in
> Is there a way to handle this in FreeRADIUS?
Sure. There's an rlm_securid module in the server. That should work.
List info/subscribe/unsubscribe? See
More information about the Freeradius-Users