Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm" ksk2 at
Fri Nov 30 16:24:39 CET 2018

   Hi Alan,

   thanks for your reply.

   Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
   some that are Radius-only.

   I did not find the rlm_securid-module in my installation. Do I have to
   compile it myself? Is there a documentation somewhere? Does the module
   use the proprietary protocol from RSA or Radius?

   Thank you and best wishes


   Gesendet: Freitag, 30. November 2018 um 15:51 Uhr
   Von: "Alan DeKok" <aland at>
   An: "FreeRadius users mailing list"
   <freeradius-users at>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2 at> wrote:
   > we are successfully using FreeRADIUS for some time now. Now we have
   two more requirements:
   > 1) Password change in OpenLDAP via FreeRADIUS
   > ...
   > Can we implement password changes with FreeRADIUS as well when the
   NAS supports this or is this a TACACS+-only feature?
   It's only TACACS+.
   The good news is that v4 should have a TACACS+ front end. It was
   working a few months ago, and then we did some rearchitecture. So it
   doesn't work today. But it's likely only a few days to get it working
   > 2) Next-Token-Mode for RSA SecurID
   > We are using Two-Factor-Authentication with FreeRADIUS and RSA
   SecurID. FreeRADIUS / unlang splits the password string in two parts
   and is sending the last 6 digits as Token to the RSA SecurID Server via
   Radius for validation. This works fine. However, in rare conditions a
   re-sync of the Token-device may be necessary so that the RSA SecurID
   Server is prompting for the next Token. Access-Challenges are used in
   this case.
   > Is there a way to handle this in FreeRADIUS?
   Sure. There's an rlm_securid module in the server. That should work.
   Alan DeKok.
   List info/subscribe/unsubscribe? See



More information about the Freeradius-Users mailing list