Two factor authentication to both LDAP directory and SecurID
g.vickers at qut.edu.au
Tue Feb 24 06:08:19 CET 2009
Firstly, this relates to a question asked for our project by Amy Hawke:
Since the above conversation, I've had an email discussion with Alan
DeKok and clarified a few things - it seems that what we want to do is
achievable with FreeRADIUS so I'd like to ask the list.
We have an existing LDAP directory which holds username and password
information. We purchased RSA's SecurID with the intention of
implementing a second factor of authentication to be used in conjunction
with our existing username and password. At the time, it was not
realised that the intention of SecurID is to replace your existing
source of authentication information - which will not be doing!
To pilot the SecurID product, we selected VPN access to a part of our
network, protected by a Cisco ASA5500 series device. We are in the
process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
We know that MS IAS cannot do what we want to do.
What we want to do:
When a user attempts to access the VPN, have them provide their
username/password as well as (their same) username and tokencode from
their SecurID fob. It is OK if they provide the password and tokencode
separately or together. (I spoke to the folks at Radiator, and they
have a programming ability in their RADIUS server to chop up the
password field before it's authenticated, i.e. have the tokencode and
password provided in the same field at the client, then take the first
eight characters of the 'password' field, send that string plus the
username to SecurID via RADIUS, and the rest of the characters from the
'password' field and the username to our LDAP directory.) Ideally we
would prompt them for username, password and tokencode at the same time.
Can FreeRADIUS do this (it seems that Access-Challenge is exactly what
we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to
solve our requirement?
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J
More information about the Freeradius-Users