RADIUS PAP-SecurID Access-Challenge
david at mitton.com
david at mitton.com
Tue Nov 28 18:29:43 CET 2006
I'm sorry,
The other day I said that there is nothing "unusual" about SecurID
RADIUS authentication. I'm so used to EAP, I forgot about the PAP auth
with a SecurID value as a password.
If the RSA Authentication Manager, finds that the token is in New Pin
or Next Tokencode mode, it will issue an Access-Challenge message with
the Reply-Message attribute explaining the next step.
The client is expected to display the text, and prompt the user, then
send another Access-Request with the response in the password
attribute. This exchange can continue through several steps, until an
Access-Accepted or -Rejected is received.
Only a few RADIUS test clients can actually deal with this. I don't
know (off the top of my head) which production clients we recommend.
Of course, for the best security the EAP-POTP method is our
recommended authentication protocol.
Dave.
More information about the Freeradius-Users
mailing list