RADIUS PAP-SecurID Access-Challenge
Alan DeKok
aland at deployingradius.com
Tue Nov 28 22:54:27 CET 2006
david at mitton.com wrote:
> If the RSA Authentication Manager, finds that the token is in New Pin
> or Next Tokencode mode, it will issue an Access-Challenge message with
> the Reply-Message attribute explaining the next step.
> The client is expected to display the text, and prompt the user, then
> send another Access-Request with the response in the password
> attribute. This exchange can continue through several steps, until an
> Access-Accepted or -Rejected is received.
>
> Only a few RADIUS test clients can actually deal with this. I don't
> know (off the top of my head) which production clients we recommend.
The pam_radius_auth module on FreeRADIUS.org was written specifically
to deal with this situation.
> Of course, for the best security the EAP-POTP method is our
> recommended authentication protocol.
I don't suppose you have server code to contribute? :)
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list