As some of you may know, RSA SecurID servers now support RADIUS. The Auth Manager comes with the Funk RADIUS sever embedded into it, and supports a number of auth types, including EAP-OTP as well as the usual types such as CHAP.

Is it possible to front end this type of server with FreeRADIUS, so that NAS-Clients can send a tokencode prepended to, say, a Kerberos password - and have the FreeRADIUS server forward the first 6 digits of the field to the RSA server for tokencode validation - and the remaining charcters to another RADIUS server, one that front-ends a Kerberos system? Only when both fields return true is the authentication true.

Is this possible? I was looking at the various scripting options in radius.conf, and don't know of anyone who has done this. Or if it can be done.

Thank you.

Dan.



#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
        preprocess

        #
        #  Ensure that we have a semi-unique identifier for every
        #  request, and many NAS boxes are broken.
        acct_unique

        #
        #  Look for IPASS-style 'realm/', and if not found, look for
        #  '@realm', and decide whether or not to proxy, based on
        #  that.
        #
        #  Accounting requests are generally proxied to the same
        #  home server as authentication requests.
#       IPASS
        suffix
#       ntdomain

        #
        #  Read the 'acct_users' file
        files
}