Two factor authentication to both LDAP directory and SecurID
tnt at kalik.net
tnt at kalik.net
Tue Feb 24 11:56:48 CET 2009
>To pilot the SecurID product, we selected VPN access to a part of our
>network, protected by a Cisco ASA5500 series device. We are in the
>process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
>We know that MS IAS cannot do what we want to do.
>What we want to do:
>When a user attempts to access the VPN, have them provide their
>username/password as well as (their same) username and tokencode from
>their SecurID fob. It is OK if they provide the password and tokencode
>separately or together. (I spoke to the folks at Radiator, and they
>have a programming ability in their RADIUS server to chop up the
>password field before it's authenticated, i.e. have the tokencode and
>password provided in the same field at the client, then take the first
>eight characters of the 'password' field, send that string plus the
>username to SecurID via RADIUS, and the rest of the characters from the
>'password' field and the username to our LDAP directory.) Ideally we
>would prompt them for username, password and tokencode at the same time.
>Can FreeRADIUS do this (it seems that Access-Challenge is exactly what
>we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to
>solve our requirement?
Yes. There is no problem in composing Cleartext-Password "on the fly"
from users password and the token.It shouldn't be too difficult to
create a perl script that does that.
You can have problems only id you insist that stored passwords should be
encrypted. That can be sorted in reverse: you would split th
User-Password from the request and create custom authentication script
that would check both parts. But that will work only for pap requests.
Kalik Informatika ISP
More information about the Freeradius-Users