RADIUS PAP-SecurID Access-Challenge

Alan DeKok aland at deployingradius.com
Tue Nov 28 22:54:27 CET 2006

david at mitton.com wrote:

> If the RSA Authentication Manager, finds that the token is in New Pin 
> or Next Tokencode mode, it will issue an Access-Challenge message with 
> the Reply-Message attribute explaining the next step.
> The client is expected to display the text, and prompt the user, then 
> send another Access-Request with the response in the password 
> attribute.   This exchange can continue through several steps, until an 
> Access-Accepted or -Rejected is received.
> Only a few RADIUS test clients can actually deal with this.  I don't 
> know (off the top of my head) which production clients we recommend.

  The pam_radius_auth module on FreeRADIUS.org was written specifically
to deal with this situation.

> Of course, for the best security the EAP-POTP method is our 
> recommended authentication protocol.

  I don't suppose you have server code to contribute? :)

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list