Two factor authentication to both LDAP directory and SecurID

[tnt at kalik.net]

>> Yes. There is no problem in composing Cleartext-Password "on the fly"
>> from users password and the token.It shouldn't be too difficult to
>> create a perl script that does that.
>
>Excellent!  So the username and tokencode/password is passed from the
>NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
>extract the tokencode and password from the password field on the
>FreeRADIUS server, right?

Yes. But you say later that you won't be using clear text passwords. So,
forget that. Instead script will be spliting the value passed in the
User-Password field in the request.

>This script would then present both sets of
>credentials back to the FreeRADIUS server and they would then be
>authenticated to their respective sources?
>
>I take it that we cannot do this natively in FreeRADIUS without writing
>such a script?
>

No.

>> You can have problems only id you insist that stored passwords should be
>> encrypted. That can be sorted in reverse: you would split th
>> User-Password from the request and create custom authentication script
>> that would check both parts. But that will work only for pap requests.
>
>I guess that we would prefer that the password is encrypted, we wouldn't
>want the passwords to be able to be viewed by someone who had access to
>the FreeRADIUS server.

That would limit you to using pap authentication.

>Can you elaborate on 'custom auth script', does
>this mean that such a script would have to talk directly to our LDAP
>directory as well as the SecurID server?

No.

>I was hoping to have only the
>FreeRADIUS server talking to our LDAP and SecurID servers.
>

Yes, server can get those values and make them available to the auth
script.

Ivan Kalik
Kalik Informatika ISP