RSASecurid and PEAP

David Mitton david at mitton.com
Wed Nov 26 16:21:32 CET 2008


I should know better to ask "what are you thinking?"  but let me attempt to explain.

The RSA SecurID RADIUS server can authenticate plain text OTPs inside of PEAP
(or if you load our EAP client, use SecurID-EAP or Protected-OTP)

FreeRADIUS should have no problem proxying that.
But as Alan points out, EAP & RADIUS don't work the way you want.

The EAP authentication end-to-end.   The RADIUS server itself doesn't know how the EAP method did it's thing.  It relays EAP messages as opaque blobs, and gets a success/failure indication (and the encryption keys) when it's done.    To a certain extent so does the access point.   APs should be able to support any EAP method that follows RFC 3748 message formats.

So you cannot alter this conversation without changing the EAP method protocol.
What piece of software on the client is going to respond to this challenge out of thin air?
PEAP on the client doesn't work that way.

Dave.


On Nov 26, 2008, aland at deployingradius.com wrote:


Paul TAVERNIER wrote:
>     1) i want to authorize/authenticate a user with a couple
> username/OTPpassword (RSASecurid) through a Freeradius server (i proxy
> the acces-request to a RSARadius-Securid server). It's ok.

 What do you mean "It's OK"?  Have you tested this with
cleartext-passwords, MS-CHAP, PEAP, or ...?

>     2) (then, if i get an Access-Accept) (in a post-proxy section?) i want
> to initiate an EAP Challenge between my XP-Wireless-supplicant client
> and FREERADIUS (not the RSA radius)...

 That's not how EAP works.  The supplicant and NAS control how the
protocol works, and you can't change things on the RADIUS server.


>     Can i configure something like that

 No.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list