RADIUS PAP-SecurID Access-Challenge

david at mitton.com david at mitton.com
Tue Nov 28 18:29:43 CET 2006

I'm sorry,
  The other day I said that there is nothing "unusual" about SecurID 
RADIUS authentication.  I'm so used to EAP, I forgot about the PAP auth 
with a SecurID value as a password.

If the RSA Authentication Manager, finds that the token is in New Pin 
or Next Tokencode mode, it will issue an Access-Challenge message with 
the Reply-Message attribute explaining the next step.
The client is expected to display the text, and prompt the user, then 
send another Access-Request with the response in the password 
attribute.   This exchange can continue through several steps, until an 
Access-Accepted or -Rejected is received.

Only a few RADIUS test clients can actually deal with this.  I don't 
know (off the top of my head) which production clients we recommend.

Of course, for the best security the EAP-POTP method is our 
recommended authentication protocol.


More information about the Freeradius-Users mailing list