Hi Ivan, tnt@kalik.net wrote:
So I think what will happen is this: - username/tokencode-password is passed from the Cisco ASA device - this data is passed in cleartext to the script - script splits the username/tokencode and username/password - script proxies the u/tc via RADIUS to SecurID - script uses PAP to pass the u/p to out directory - script does these checks in sequence or concurrently - once both sets of credentials are accepted, an accept is passed back to the Cisco ASA device
Does this sound right?
Mostly. You will have to get the password from ldap rather then send it to it. And the check it in pre-proxy (save yourself a proxy if user/pass don't match). This should work with pap requests.
Ah, thank you! Apologies for the (to you) obvious problems in my questions and statements, I've never done any RADIUS or LDAP configuration before. Cheers, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J