On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2@gmx.net> wrote:
we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
1) Password change in OpenLDAP via FreeRADIUS ... Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?
It's only TACACS+. The good news is that v4 should have a TACACS+ front end. It was working a few months ago, and then we did some rearchitecture. So it doesn't work today. But it's likely only a few days to get it working again.
2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
Is there a way to handle this in FreeRADIUS?
Sure. There's an rlm_securid module in the server. That should work. Alan DeKok.