we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
1) Password change in OpenLDAP via FreeRADIUS ... Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature? It's only TACACS+. The good news is that v4 should have a TACACS+ front end. It was working a few months ago, and then we did some rearchitecture. So it doesn't work today. But it's likely only a few days to get it working again. 2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
Is there a way to handle this in FreeRADIUS? Sure. There's an rlm_securid module in the server. That should work. Alan DeKok.
Hi Alan, thanks for your reply. Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have some that are Radius-only. I did not find the rlm_securid-module in my installation. Do I have to compile it myself? Is there a documentation somewhere? Does the module use the proprietary protocol from RSA or Radius? Thank you and best wishes Michael Gesendet: Freitag, 30. November 2018 um 15:51 Uhr Von: "Alan DeKok" <aland@deployingradius.com> An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2@gmx.net> wrote: - List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/list/users.html References 1. http://www.freeradius.org/list/users.html