Hi all, I run with Freeradius 2.1, CiscoASA and RSASecurid "OTP"+RSARadius. I set my CiscoASA to authenticate against freeradius. On this freeradius server, i created a realm "OTP" which proxy the request to a RSARadius (the only one who can ask RSAOTP Securid database). So when i authenticate with myuserlogin@OTP/Passcode with my CiscoVPNclient, the authentication is successful. No pb. Here's the log: ======(log) [suffix] Looking up realm "otp" for User-Name = "xxxxxxxxxx@otp" [suffix] Found realm "otp" [suffix] Adding Stripped-User-Name = "xxxxxxxxxx" [suffix] Adding Realm = "otp" [suffix] Proxying request from user xxxxxxxxxx to realm otp [suffix] Preparing to proxy authentication request to realm "otp" ++[suffix] returns updated ... rad_recv: Access-Accept packet from host 192.168.1.1 port 1812, id=4, length=85 Class = x53425232434cd5a0c3accfca8fd9efc01180270180038198 Proxy-State = 0x313530 ======(end of log) The second thing i want to do is to "import" the user's "policy group" (radiusClass) and its own IP Address (radiusFramedIPAddress). Those attributes are located in a LDAP directory server. So i decided to add the "ldap" module in the authorization section of my freeradius conf files. In the logs, i clearly see that freeradius is doing a great job (asking and receiving my ldap attrs) ======(log) [ldap] performing user authorization for xxxxxxxxxx WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=xxxxxxxxxx) expand: o=gouv,c=fr -> o=gouv,c=fr rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection ... rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=gouv,c=fr, with filter (uid=xxxxxxxxxx) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... rlm_ldap: radiusClass -> Class = 0x646976696e666f rlm_ldap: radiusFramedIPAddress -> Framed-IP-Address = 1.2.3.4 WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user xxxxxxxxxxx authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ======(end of log) My problem is that that finally i get 2 successful auth (i interpret it like these sorry...), and Freeradius "chooses" Auth-Type=Accept (ProxyRSARadius Response which doesn't contain my class and framedipaddress i need to push to my CiscoASA) ======(log) Found Auth-Type = LDAP Found Auth-Type = Accept Warning: Found 2 auth-types on request for user 'xxxxxxxxxxx' Auth-Type = Accept, accepting the user +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 150 to 192.168.1.2 port 1025 Class = 0x53425232434cd5a0c3accfca8fd9efc0118027018 Finished request 0. ======(end of log) In other words (sorry for being so long), i would love to authenticate againt my OTP RSASecurid boxes and concatenate Radius attributes found in a LDAP directory... Where should i go? post_proxy module? Any help would be greatly appreciated. Kind regards, Paul -- ============================ Paul TAVERNIER Equipe Reseaux-Securite Division Informatique Rectorat de ROUEN