FreeRadius working as proxy Radius for RSA ACE Server

David Mitton david at
Sat Nov 25 06:35:49 CET 2006

On 11/23/2006 11:34 AM, Alan DeKok wrote:
>Luis wrote:
> > Hi there,
> >
> > Is there anyone with experience with FreeRadius working as proxy for the
> > RSA ACE Server?
>   Yes.  RSA ACE is just a re-branded Funk server.
>   Alan DeKok.

Careful here.

         The RSA SecurID Server, (aka the ACE Server or more properly 
the Authentication Manager) that holds the SecurID user and token 
database, and authenticates the token codes, proper doesn't speak 
RADIUS but a proprietary secured protocol.  The API to this 
protocol's client module is documented.

         Versions 5.6 and 6.0 of the ACE Server include an optional 
RADIUS server that accepts PAP requests with a SecurID passcode (PIN 
+ tokencode) and proxies them to the ACE Server.   This server is 
based on the original Livingston RADIUS server code.  This server did 
not support EAP protocols.   The Windows version of the server 
includes a Windows EAP module that supports our SecurID EAP 
method.  This module works directly with the Windows RAS and VPN 
servers, or via the Microsoft IAS RADIUS Server.

         Version 6.1 of the Auth Manager Server includes an custom 
version of SBR that accepts RADIUS requests and only proxies them to 
the Auth Manager.   It supports PAP/SecurID, EAP-GTC, EAP-SecurID, 
and EAP-Protected OTP.  And with TTLS, PEAPv0, and PEAPv1 
support.  It's supported on Windows and several UNIX platforms.  It 
does not support any other form of authentication.   The Windows EAP 
DLL is still provided and now supports EAP-POTP as well.

         Any of these RADIUS requests could be proxied by any 
reasonable RADIUS proxy.  There's nothing special about the RADIUS 
aspects of these requests, just the authentication content.


More information about the Freeradius-Users mailing list