Two factor authentication to both LDAP directory and SecurID
Hi all, Firstly, this relates to a question asked for our project by Amy Hawke: http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-January/msg0... Since the above conversation, I've had an email discussion with Alan DeKok and clarified a few things - it seems that what we want to do is achievable with FreeRADIUS so I'd like to ask the list. Situation: We have an existing LDAP directory which holds username and password information. We purchased RSA's SecurID with the intention of implementing a second factor of authentication to be used in conjunction with our existing username and password. At the time, it was not realised that the intention of SecurID is to replace your existing source of authentication information - which will not be doing! Scenario: To pilot the SecurID product, we selected VPN access to a part of our network, protected by a Cisco ASA5500 series device. We are in the process of moving away from the MS IAS RADIUS solution to FreeRADIUS. We know that MS IAS cannot do what we want to do. What we want to do: When a user attempts to access the VPN, have them provide their username/password as well as (their same) username and tokencode from their SecurID fob. It is OK if they provide the password and tokencode separately or together. (I spoke to the folks at Radiator, and they have a programming ability in their RADIUS server to chop up the password field before it's authenticated, i.e. have the tokencode and password provided in the same field at the client, then take the first eight characters of the 'password' field, send that string plus the username to SecurID via RADIUS, and the rest of the characters from the 'password' field and the username to our LDAP directory.) Ideally we would prompt them for username, password and tokencode at the same time. Can FreeRADIUS do this (it seems that Access-Challenge is exactly what we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to solve our requirement? Thanks, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J
Scenario: To pilot the SecurID product, we selected VPN access to a part of our network, protected by a Cisco ASA5500 series device. We are in the process of moving away from the MS IAS RADIUS solution to FreeRADIUS. We know that MS IAS cannot do what we want to do.
What we want to do: When a user attempts to access the VPN, have them provide their username/password as well as (their same) username and tokencode from their SecurID fob. It is OK if they provide the password and tokencode separately or together. (I spoke to the folks at Radiator, and they have a programming ability in their RADIUS server to chop up the password field before it's authenticated, i.e. have the tokencode and password provided in the same field at the client, then take the first eight characters of the 'password' field, send that string plus the username to SecurID via RADIUS, and the rest of the characters from the 'password' field and the username to our LDAP directory.) Ideally we would prompt them for username, password and tokencode at the same time.
Can FreeRADIUS do this (it seems that Access-Challenge is exactly what we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to solve our requirement?
Yes. There is no problem in composing Cleartext-Password "on the fly" from users password and the token.It shouldn't be too difficult to create a perl script that does that. You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests. Ivan Kalik Kalik Informatika ISP
Hi Ivan, tnt@kalik.net wrote:
Scenario: To pilot the SecurID product, we selected VPN access to a part of our network, protected by a Cisco ASA5500 series device. We are in the process of moving away from the MS IAS RADIUS solution to FreeRADIUS. We know that MS IAS cannot do what we want to do.
What we want to do: When a user attempts to access the VPN, have them provide their username/password as well as (their same) username and tokencode from their SecurID fob. It is OK if they provide the password and tokencode separately or together. (I spoke to the folks at Radiator, and they have a programming ability in their RADIUS server to chop up the password field before it's authenticated, i.e. have the tokencode and password provided in the same field at the client, then take the first eight characters of the 'password' field, send that string plus the username to SecurID via RADIUS, and the rest of the characters from the 'password' field and the username to our LDAP directory.) Ideally we would prompt them for username, password and tokencode at the same time.
Can FreeRADIUS do this (it seems that Access-Challenge is exactly what we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to solve our requirement?
Yes. There is no problem in composing Cleartext-Password "on the fly" from users password and the token.It shouldn't be too difficult to create a perl script that does that.
Excellent! So the username and tokencode/password is passed from the NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to extract the tokencode and password from the password field on the FreeRADIUS server, right? This script would then present both sets of credentials back to the FreeRADIUS server and they would then be authenticated to their respective sources? I take it that we cannot do this natively in FreeRADIUS without writing such a script?
You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests.
I guess that we would prefer that the password is encrypted, we wouldn't want the passwords to be able to be viewed by someone who had access to the FreeRADIUS server. Can you elaborate on 'custom auth script', does this mean that such a script would have to talk directly to our LDAP directory as well as the SecurID server? I was hoping to have only the FreeRADIUS server talking to our LDAP and SecurID servers. Thanks, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J
Yes. There is no problem in composing Cleartext-Password "on the fly" from users password and the token.It shouldn't be too difficult to create a perl script that does that.
Excellent! So the username and tokencode/password is passed from the NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to extract the tokencode and password from the password field on the FreeRADIUS server, right?
Yes. But you say later that you won't be using clear text passwords. So, forget that. Instead script will be spliting the value passed in the User-Password field in the request.
This script would then present both sets of credentials back to the FreeRADIUS server and they would then be authenticated to their respective sources?
I take it that we cannot do this natively in FreeRADIUS without writing such a script?
No.
You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests.
I guess that we would prefer that the password is encrypted, we wouldn't want the passwords to be able to be viewed by someone who had access to the FreeRADIUS server.
That would limit you to using pap authentication.
Can you elaborate on 'custom auth script', does this mean that such a script would have to talk directly to our LDAP directory as well as the SecurID server?
No.
I was hoping to have only the FreeRADIUS server talking to our LDAP and SecurID servers.
Yes, server can get those values and make them available to the auth script. Ivan Kalik Kalik Informatika ISP
Hi Ivan, tnt@kalik.net wrote:
Yes. There is no problem in composing Cleartext-Password "on the fly" from users password and the token.It shouldn't be too difficult to create a perl script that does that. Excellent! So the username and tokencode/password is passed from the NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to extract the tokencode and password from the password field on the FreeRADIUS server, right?
Yes. But you say later that you won't be using clear text passwords. So, forget that. Instead script will be spliting the value passed in the User-Password field in the request.
I've talked to the group who run our FreeRADIUS server and using clear passwords in this case is fine.
This script would then present both sets of credentials back to the FreeRADIUS server and they would then be authenticated to their respective sources?
I take it that we cannot do this natively in FreeRADIUS without writing such a script?
No.
You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests. I guess that we would prefer that the password is encrypted, we wouldn't want the passwords to be able to be viewed by someone who had access to the FreeRADIUS server.
That would limit you to using pap authentication.
We use PAP authentication to authenticate to our directory, so no problems there.
Can you elaborate on 'custom auth script', does this mean that such a script would have to talk directly to our LDAP directory as well as the SecurID server?
No.
I was hoping to have only the FreeRADIUS server talking to our LDAP and SecurID servers.
Yes, server can get those values and make them available to the auth script.
So I think what will happen is this: - username/tokencode-password is passed from the Cisco ASA device - this data is passed in cleartext to the script - script splits the username/tokencode and username/password - script proxies the u/tc via RADIUS to SecurID - script uses PAP to pass the u/p to out directory - script does these checks in sequence or concurrently - once both sets of credentials are accepted, an accept is passed back to the Cisco ASA device Does this sound right? Cheers, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J
So I think what will happen is this: - username/tokencode-password is passed from the Cisco ASA device - this data is passed in cleartext to the script - script splits the username/tokencode and username/password - script proxies the u/tc via RADIUS to SecurID - script uses PAP to pass the u/p to out directory - script does these checks in sequence or concurrently - once both sets of credentials are accepted, an accept is passed back to the Cisco ASA device
Does this sound right?
Mostly. You will have to get the password from ldap rather then send it to it. And the check it in pre-proxy (save yourself a proxy if user/pass don't match). This should work with pap requests. Ivan Kalik Kalik Informatika ISP
Hi Ivan, tnt@kalik.net wrote:
So I think what will happen is this: - username/tokencode-password is passed from the Cisco ASA device - this data is passed in cleartext to the script - script splits the username/tokencode and username/password - script proxies the u/tc via RADIUS to SecurID - script uses PAP to pass the u/p to out directory - script does these checks in sequence or concurrently - once both sets of credentials are accepted, an accept is passed back to the Cisco ASA device
Does this sound right?
Mostly. You will have to get the password from ldap rather then send it to it. And the check it in pre-proxy (save yourself a proxy if user/pass don't match). This should work with pap requests.
Ah, thank you! Apologies for the (to you) obvious problems in my questions and statements, I've never done any RADIUS or LDAP configuration before. Cheers, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J
participants (2)
-
Greg Vickers -
tnt@kalik.net