Hi, Just wondering if anyone on here had some experience with authenticating against a SecurID management server. I think the easiest way would be just to proxy to the RSA RADIUS Server (Funk), but I see there are some PAM modules available from RSA. So if anyone been successful using either of these methods, FR Version and Method (PAM,Proxy) info would be greatly appreciated. Seems like something useful that could go into the wiki. Thanks, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
On Wed, 2007-12-12 at 16:44 +0000, Arran Cudbard-Bell wrote:
I think the easiest way would be just to proxy to the RSA RADIUS Server
I do the exact same thing, except I use Entrust IdentityGuard RADIUS proxy. Entrust and FreeRadius are tied to OpenLDAP. Works well. Entrust++. ~BAS
The PAM module for RSA(ACE) does work except in one case: - an account in 'next token mode' or 'new pin mode' causes FreeRADIUS to spin out and swallow all of the memory on the host running it till it crashes. I have not nailed down yet if it is PAM or FreeRADIUS but as example, OpenSSH has no issue dealing with either instance. Not laying blame, I just do not know the root cause of the issue yet. On Wednesday 12 December 2007, Arran Cudbard-Bell wrote:
Hi,
Just wondering if anyone on here had some experience with authenticating against a SecurID management server. I think the easiest way would be just to proxy to the RSA RADIUS Server (Funk), but I see there are some PAM modules available from RSA.
So if anyone been successful using either of these methods, FR Version and Method (PAM,Proxy) info would be greatly appreciated.
Seems like something useful that could go into the wiki.
Thanks, Arran
-- -------------------------------------------------- Jeremy M. Guthrie jeremy.guthrie@berbee.com Managed Cisco Security Solutions Senior Network Engineer Phone: 608-298-1061 CDW Berbee Fax: 608-288-3007 5520 Research Park Drive NOC: 608-298-1102 Madison, WI 53711
Jeremy M. Guthrie wrote:
The PAM module for RSA(ACE) does work except in one case: - an account in 'next token mode' or 'new pin mode' causes FreeRADIUS to spin out and swallow all of the memory on the host running it till it crashes.
Ouch.
I have not nailed down yet if it is PAM or FreeRADIUS but as example, OpenSSH has no issue dealing with either instance. Not laying blame, I just do not know the root cause of the issue yet.
It's likely the rlm_pam module. That code hasn't been touched in a *long* time. I don't claim to understand PAM. I find it very confusing. Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Brian A. Seklecki -
Jeremy M. Guthrie