SecurID authentication

David Mitton david at mitton.com
Tue Jun 6 18:53:10 CEST 2006


Darshak,
	
	I'm not a legal representative, but Michael's response is for
someone that wishes to sell or distribute(?) a product that uses the
SecurID service

While doing a RADIUS proxy to for the new RADIUS server may be the correct
approach, if you are an owner of a SecurID server solution, you can
certainly develop code to use your licensed server for whatever
application you wish.

The product offering includes an ACE Client SDK which gives you a
C-language API for doing SecurID authentication.   It would be fairly
straight forward to develop your own Free RADIUS module, but there are
details with New Pin assignment and Next Token mode that get messy.  The
server uses Access-Challenge for them.

Also the new server includes EAP support for several methods.  So proxy
may still be the best path.

David Mitton
Software Development,
RSA Security, Inc.

PS: I urge all senders to use meaningful Subject lines, the original
message was discarded by me on first pass as spam.

----- Original Message -----

From: "Michael Lecuyer" <mjl at theorem.com>
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Subject: Re: Hello,
Date: Tue, 06 Jun 2006 09:08:16 -0400


It would be difficult to say how RADIUS would interact with the actual
ACE 
server since it's a proprietary system.  In 2002 I thought about going
down 
this route and I'm summarizing from the 5 page SecurId integration
document.

You must write code that uses RSA's 'RSA Agent' software to communicate
with 
the RSA ACE server. You must become a partner a a cost of ten thousand
dollars 
for each product each year you provide the product(s). You must pay RSA
twenty 
percent of your product's licensing fee. And you must have RSA certify
it and 
may be required to provide a training program for RSA certification 
technicians. The sublicense agreement with RSA is incompatible with any
open 
source software.

The best thing to do is use FreeRadius as a proxy to the RSA RADIUS
server.

 From a client's point of view the ACE RADIUS server may require a
simple  
CHAP/PAP transaction or there may be challenges asking for more
information. 
It depends on the RSA server configuration.

darshak wrote:
> Hi All
>      I m new to AAA things.I want how can I support RSA ACE/Server in 
> freeradius.
> Can anyone has details How interaction is made between RADIUS and 
> RSA/ACE-server?. in general scenario
>
>
> Rgds
> DArshak
>







More information about the Freeradius-Users mailing list