FreeRadius working as proxy Radius for RSA ACE Server
David Mitton
david at mitton.com
Sat Nov 25 06:35:49 CET 2006
On 11/23/2006 11:34 AM, Alan DeKok wrote:
>Luis wrote:
> > Hi there,
> >
> > Is there anyone with experience with FreeRadius working as proxy for the
> > RSA ACE Server?
>
> Yes. RSA ACE is just a re-branded Funk server.
>
> Alan DeKok.
Careful here.
The RSA SecurID Server, (aka the ACE Server or more properly
the Authentication Manager) that holds the SecurID user and token
database, and authenticates the token codes, proper doesn't speak
RADIUS but a proprietary secured protocol. The API to this
protocol's client module is documented.
Versions 5.6 and 6.0 of the ACE Server include an optional
RADIUS server that accepts PAP requests with a SecurID passcode (PIN
+ tokencode) and proxies them to the ACE Server. This server is
based on the original Livingston RADIUS server code. This server did
not support EAP protocols. The Windows version of the server
includes a Windows EAP module that supports our SecurID EAP
method. This module works directly with the Windows RAS and VPN
servers, or via the Microsoft IAS RADIUS Server.
Version 6.1 of the Auth Manager Server includes an custom
version of SBR that accepts RADIUS requests and only proxies them to
the Auth Manager. It supports PAP/SecurID, EAP-GTC, EAP-SecurID,
and EAP-Protected OTP. And with TTLS, PEAPv0, and PEAPv1
support. It's supported on Windows and several UNIX platforms. It
does not support any other form of authentication. The Windows EAP
DLL is still provided and now supports EAP-POTP as well.
Any of these RADIUS requests could be proxied by any
reasonable RADIUS proxy. There's nothing special about the RADIUS
aspects of these requests, just the authentication content.
Dave.
More information about the Freeradius-Users
mailing list