Two factor authentication to both LDAP directory and SecurID

tnt at kalik.net tnt at kalik.net
Tue Feb 24 11:56:48 CET 2009


>Scenario:
>To pilot the SecurID product, we selected VPN access to a part of our
>network, protected by a Cisco ASA5500 series device.  We are in the
>process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
>We know that MS IAS cannot do what we want to do.
>
>What we want to do:
>When a user attempts to access the VPN, have them provide their
>username/password as well as (their same) username and tokencode from
>their SecurID fob.  It is OK if they provide the password and tokencode
>separately or together.  (I spoke to the folks at Radiator, and they
>have a programming ability in their RADIUS server to chop up the
>password field before it's authenticated, i.e. have the tokencode and
>password provided in the same field at the client, then take the first
>eight characters of the 'password' field, send that string plus the
>username to SecurID via RADIUS, and the rest of the characters from the
>'password' field and the username to our LDAP directory.)  Ideally we
>would prompt them for username, password and tokencode at the same time.
>
>Can FreeRADIUS do this (it seems that Access-Challenge is exactly what
>we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to
>solve our requirement?

Yes. There is no problem in composing Cleartext-Password "on the fly"
from users password and the token.It shouldn't be too difficult to
create a perl script that does that.

You can have problems only id you insist that stored passwords should be
encrypted. That can be sorted in reverse: you would split th
User-Password from the request and create custom authentication script
that would check both parts. But that will work only for pap requests.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list