Two factor authentication to both LDAP directory and SecurID

tnt at tnt at
Wed Feb 25 03:57:23 CET 2009

>> Yes. There is no problem in composing Cleartext-Password "on the fly"
>> from users password and the token.It shouldn't be too difficult to
>> create a perl script that does that.
>Excellent!  So the username and tokencode/password is passed from the
>NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
>extract the tokencode and password from the password field on the
>FreeRADIUS server, right?

Yes. But you say later that you won't be using clear text passwords. So,
forget that. Instead script will be spliting the value passed in the
User-Password field in the request.

>This script would then present both sets of
>credentials back to the FreeRADIUS server and they would then be
>authenticated to their respective sources?
>I take it that we cannot do this natively in FreeRADIUS without writing
>such a script?


>> You can have problems only id you insist that stored passwords should be
>> encrypted. That can be sorted in reverse: you would split th
>> User-Password from the request and create custom authentication script
>> that would check both parts. But that will work only for pap requests.
>I guess that we would prefer that the password is encrypted, we wouldn't
>want the passwords to be able to be viewed by someone who had access to
>the FreeRADIUS server.

That would limit you to using pap authentication.

>Can you elaborate on 'custom auth script', does
>this mean that such a script would have to talk directly to our LDAP
>directory as well as the SecurID server?


>I was hoping to have only the
>FreeRADIUS server talking to our LDAP and SecurID servers.

Yes, server can get those values and make them available to the auth

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list