I frontend our secureID server with FR. but that is only doing PAP. The way I do this is radius proxy whre the FR is running on the same box different port. I don't understand what you are trying to do here. If a user tried to authenticate you want the PIN to authenticate on radius? and the rest somewhere else? --- "Drumm, Daniel" <dgdrumm@bf.umich.edu> wrote:
As some of you may know, RSA SecurID servers now support RADIUS. The Auth Manager comes with the Funk RADIUS sever embedded into it, and supports a number of auth types, including EAP-OTP as well as the usual types such as CHAP.
Is it possible to front end this type of server with FreeRADIUS, so that NAS-Clients can send a tokencode prepended to, say, a Kerberos password - and have the FreeRADIUS server forward the first 6 digits of the field to the RSA server for tokencode validation - and the remaining charcters to another RADIUS server, one that front-ends a Kerberos system? Only when both fields return true is the authentication true.
Is this possible? I was looking at the various scripting options in radius.conf, and don't know of anyone who has done this. Or if it can be done.
Thank you.
Dan.
# # Pre-accounting. Decide which accounting type to use. # preacct { preprocess
# # Ensure that we have a semi-unique identifier for every # request, and many NAS boxes are broken. acct_unique
# # Look for IPASS-style 'realm/', and if not found, look for # '@realm', and decide whether or not to proxy, based on # that. # # Accounting requests are generally proxied to the same # home server as authentication requests. # IPASS suffix # ntdomain
# # Read the 'acct_users' file files }
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html ____________________________________________________________________________________ Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097