Access-Challenge authentication via both LDAP and SecurID
Hi, I'm trying to implement two factor authentication using a CISCO VPN device, freeRADIUS, and RSA SecurID tokens. We would like to utilise existing username/password infrastructure by performing this part of the authentication on the LDAP directories and then the username/token-code authentication to occur via the RSA product. The initial LDAP authentication has been implemented correctly. Is it possible to use FreeRADIUS to perform an initial authentication Username/Password and respond with an Access-Challenge and then when the the second Access-Request comes through, proxy it through to the RSA Authentication Manager? And if so, what is the best approach to take to implement this? Thanks for your help with this, Amz _________________________________________________________________ It's simple! Sell your car for just $40 http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2...
Both the LDAP authentication and proxying to RSA are working properly. To get the two working together I have tried changing the response for the LDAP auth from Access-Accept to Access-Challenge if the request comes from the correct NAS-IP. if(NAS-IP-Address == 10.0.0.1){ update control{ Response-Packet-Type := Access-Challenge } updated } After the authentication is performed further attributes have been added. if(NAS-IP-Address == 10.0.0.1){ update reply{ Packet-Type := Access-Challenge State := 1 Reply-Message := "Token Code" } ok } This gives the following reply. Packet-Type = Access-Accept Packet-Type = Access-Challenge State = 0x31 Reply-Message = "Token Code" The following is the debug output: ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 193 ++[files] returns ok ++? if (NAS-IP-Address == 10.0.0.1) ? Evaluating (NAS-IP-Address == 10.0.0.1) -> TRUE ++? if (NAS-IP-Address == 10.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 10.0.0.1) +++[control] returns ok +++[updated] returns updated ++- if (NAS-IP-Address == 10.0.0.1) returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for bob WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bob) expand: ou=people,...-> ou=people,... rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,..., with filter (uid=bob) rlm_ldap: Added the eDirectory password password00 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute eduPersonPrincipalName as RADIUS attribute Principal-Name == "bob" rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: looking for reply items in directory... rlm_ldap: user bob authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (NAS-IP-Address == 10.0.0.1) ? Evaluating (NAS-IP-Address == 10.0.0.1) -> TRUE ++? if (NAS-IP-Address == 10.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 10.0.0.1) +++[reply] returns ok +++[ok] returns ok ++- if (NAS-IP-Address == 10.0.0.1) returns ok ++[expiration] returns noop ++[logintime] returns noop Can the Access-Accept be changed to an Access-Challenge? Thanks _________________________________________________________________ Need a new place to rent, share or buy? Let ninemsn property help http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F...
Amy Hawke wrote:
Both the LDAP authentication and proxying to RSA are working properly. To get the two working together I have tried changing the response for the LDAP auth from Access-Accept to Access-Challenge if the request comes from the correct NAS-IP.
That won't work. Can you say what you're trying to do? What NAS equipment are you using?
Can the Access-Accept be changed to an Access-Challenge?
Not right now. Alan DeKok.
Can you say what you're trying to do? What NAS equipment are you using?
We would like to get two factor authentication working using the username/password from our current LDAP directories and then username/RSA token code. The RSA product is unable to connect to our current directories, so if possible we would like to perform the first step using FreeRADIUS and then proxy the second part of the request through to the RSA Authentication manager. It is for a VPN setup utilising CISCO ASA5550. Thanks, Amy _________________________________________________________________ Want to marry your mail? Combine your email accounts here! http://livelife.ninemsn.com.au/article.aspx?id=669758
Amy Hawke wrote:
We would like to get two factor authentication working using the username/password from our current LDAP directories and then username/RSA token code.
That will likely *not* work. The NAS has to support this behavior, and usually doesn't.
The RSA product is unable to connect to our current directories, so if possible we would like to perform the first step using FreeRADIUS and then proxy the second part of the request through to the RSA Authentication manager.
We're currently working to get FreeRADIUS integrated with the RSA token libraries. There are licensing restrictions, so the resulting code will likely not be part of the "official" release. But it should be available. Alan DeKok.
Thanks Alan for the quick responses. We will look for other solutions in the meantime. Thanks, Amy _________________________________________________________________ It's simple! Sell your car for just $40 http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2...
participants (3)
-
Alan DeKok -
Amy Hawke -
tnt@kalik.net