Two factor authentication to both LDAP directory and SecurID

Greg Vickers g.vickers at qut.edu.au
Tue Feb 24 06:08:19 CET 2009 

Hi all,

Firstly, this relates to a question asked for our project by Amy Hawke:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-January/msg00617.html

Since the above conversation, I've had an email discussion with Alan 
DeKok and clarified a few things - it seems that what we want to do is 
achievable with FreeRADIUS so I'd like to ask the list.

Situation:
We have an existing LDAP directory which holds username and password 
information.  We purchased RSA's SecurID with the intention of 
implementing a second factor of authentication to be used in conjunction 
with our existing username and password.  At the time, it was not 
realised that the intention of SecurID is to replace your existing 
source of authentication information - which will not be doing!

Scenario:
To pilot the SecurID product, we selected VPN access to a part of our 
network, protected by a Cisco ASA5500 series device.  We are in the 
process of moving away from the MS IAS RADIUS solution to FreeRADIUS. 
We know that MS IAS cannot do what we want to do.

What we want to do:
When a user attempts to access the VPN, have them provide their 
username/password as well as (their same) username and tokencode from 
their SecurID fob.  It is OK if they provide the password and tokencode 
separately or together.  (I spoke to the folks at Radiator, and they 
have a programming ability in their RADIUS server to chop up the 
password field before it's authenticated, i.e. have the tokencode and 
password provided in the same field at the client, then take the first 
eight characters of the 'password' field, send that string plus the 
username to SecurID via RADIUS, and the rest of the characters from the 
'password' field and the username to our LDAP directory.)  Ideally we 
would prompt them for username, password and tokencode at the same time.

Can FreeRADIUS do this (it seems that Access-Challenge is exactly what 
we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to 
solve our requirement?

Thanks,
-- 
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J

More information about the Freeradius-Users mailing list