david@mitton.com wrote:
If the RSA Authentication Manager, finds that the token is in New Pin or Next Tokencode mode, it will issue an Access-Challenge message with the Reply-Message attribute explaining the next step. The client is expected to display the text, and prompt the user, then send another Access-Request with the response in the password attribute. This exchange can continue through several steps, until an Access-Accepted or -Rejected is received.
Only a few RADIUS test clients can actually deal with this. I don't know (off the top of my head) which production clients we recommend.
The pam_radius_auth module on FreeRADIUS.org was written specifically to deal with this situation.
Of course, for the best security the EAP-POTP method is our recommended authentication protocol.
I don't suppose you have server code to contribute? :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog