RE: SecurID authentication
Darshak, I'm not a legal representative, but Michael's response is for someone that wishes to sell or distribute(?) a product that uses the SecurID service While doing a RADIUS proxy to for the new RADIUS server may be the correct approach, if you are an owner of a SecurID server solution, you can certainly develop code to use your licensed server for whatever application you wish. The product offering includes an ACE Client SDK which gives you a C-language API for doing SecurID authentication. It would be fairly straight forward to develop your own Free RADIUS module, but there are details with New Pin assignment and Next Token mode that get messy. The server uses Access-Challenge for them. Also the new server includes EAP support for several methods. So proxy may still be the best path. David Mitton Software Development, RSA Security, Inc. PS: I urge all senders to use meaningful Subject lines, the original message was discarded by me on first pass as spam. ----- Original Message ----- From: "Michael Lecuyer" <mjl@theorem.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: Hello, Date: Tue, 06 Jun 2006 09:08:16 -0400 It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document. You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software. The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server. From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration. darshak wrote:
Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario
Rgds DArshak
Thanxs David,This has been useful to me . Although proxy is best answer.I just wanna go in some details. If i own RSA ACE/server,then does it come with RSa Ace/client agent? Then what i need to do is write a code that talks with Freeradius and RSA ACE/client? Or I need not do it? Is this RSA/Ace server comes with client that talks to RADIUS? and I can be free from coding burden? Can u please explain How RADIUS <-->RSA/ACe server talk to each other?[if i not use proxy ] I have read that Lucent and SBR supports this RSA/ACE SecurID so how they actually support?Do they have coded extra or by proxy ? Thanxs again for your help Rgds Darshak ----- Original Message ----- From: "David Mitton" <david@mitton.com> To: <freeradius-users@lists.freeradius.org> Sent: Tuesday, June 06, 2006 10:23 PM Subject: RE: SecurID authentication
Darshak,
I'm not a legal representative, but Michael's response is for someone that wishes to sell or distribute(?) a product that uses the SecurID service
While doing a RADIUS proxy to for the new RADIUS server may be the correct approach, if you are an owner of a SecurID server solution, you can certainly develop code to use your licensed server for whatever application you wish.
The product offering includes an ACE Client SDK which gives you a C-language API for doing SecurID authentication. It would be fairly straight forward to develop your own Free RADIUS module, but there are details with New Pin assignment and Next Token mode that get messy. The server uses Access-Challenge for them.
Also the new server includes EAP support for several methods. So proxy may still be the best path.
David Mitton Software Development, RSA Security, Inc.
PS: I urge all senders to use meaningful Subject lines, the original message was discarded by me on first pass as spam.
----- Original Message -----
From: "Michael Lecuyer" <mjl@theorem.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: Hello, Date: Tue, 06 Jun 2006 09:08:16 -0400
It would be difficult to say how RADIUS would interact with the actual ACE server since it's a proprietary system. In 2002 I thought about going down this route and I'm summarizing from the 5 page SecurId integration document.
You must write code that uses RSA's 'RSA Agent' software to communicate with the RSA ACE server. You must become a partner a a cost of ten thousand dollars for each product each year you provide the product(s). You must pay RSA twenty percent of your product's licensing fee. And you must have RSA certify it and may be required to provide a training program for RSA certification technicians. The sublicense agreement with RSA is incompatible with any open source software.
The best thing to do is use FreeRadius as a proxy to the RSA RADIUS server.
From a client's point of view the ACE RADIUS server may require a simple CHAP/PAP transaction or there may be challenges asking for more information. It depends on the RSA server configuration.
darshak wrote:
Hi All I m new to AAA things.I want how can I support RSA ACE/Server in freeradius. Can anyone has details How interaction is made between RADIUS and RSA/ACE-server?. in general scenario
Rgds DArshak
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
darshak -
David Mitton