Dan Geist explained what it was I am trying to do. His suggestion is the way I will look, to use a perl module to split the authentication.

Time for some ASCII Art (bad)


NAS ---> FR

(this field passes the password via RADIUS/PAP, and is the securID tokencode + kerberos pwd.)

( ex: user:jdoe pwd:549872MyPassword )

FR then splits the first 6 characters, and sends the authentication to the RADIUS listener that RSA bundles with Auth Mgr 6.1.

FR ----> RSA-AuthMgr-RADIUS-listener
|
|-------> Campus Kerberos RADIUS server

It then sends the campus Kerberos password (i.e. MyPassword) to the campus RADIUS server that front ends the Kerberos system.

Since RADIUS is an async network protocol, Freeradius will have to set timers and wait for each to be successful before returning an accept to the NAS for the RADIUS request which it proxied. As Dan explained, this will probably be independent PAM calls to the two methods.

Could be tricky.

Dan @ UM.

----

Message: 2
Date: Tue, 23 Jan 2007 14:05:32 -0800 (PST)
From: Agent Smith <news8080@yahoo.com>
Subject: Re: Splitting the password field in freeRADIUS
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Message-ID: <529131.95171.qm@web50915.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1


I frontend our secureID server with FR. but that is
only doing PAP. The way I do this is radius proxy whre
the FR is running on the same box different port.

I don't understand what you are trying to do here. If
a user tried to authenticate you want the PIN to
authenticate on radius? and the rest somewhere else?