Two factor authentication to both LDAP directory and SecurID
tnt at kalik.net
tnt at kalik.net
Wed Feb 25 03:57:23 CET 2009
>> Yes. There is no problem in composing Cleartext-Password "on the fly"
>> from users password and the token.It shouldn't be too difficult to
>> create a perl script that does that.
>Excellent! So the username and tokencode/password is passed from the
>NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
>extract the tokencode and password from the password field on the
>FreeRADIUS server, right?
Yes. But you say later that you won't be using clear text passwords. So,
forget that. Instead script will be spliting the value passed in the
User-Password field in the request.
>This script would then present both sets of
>credentials back to the FreeRADIUS server and they would then be
>authenticated to their respective sources?
>I take it that we cannot do this natively in FreeRADIUS without writing
>such a script?
>> You can have problems only id you insist that stored passwords should be
>> encrypted. That can be sorted in reverse: you would split th
>> User-Password from the request and create custom authentication script
>> that would check both parts. But that will work only for pap requests.
>I guess that we would prefer that the password is encrypted, we wouldn't
>want the passwords to be able to be viewed by someone who had access to
>the FreeRADIUS server.
That would limit you to using pap authentication.
>Can you elaborate on 'custom auth script', does
>this mean that such a script would have to talk directly to our LDAP
>directory as well as the SecurID server?
>I was hoping to have only the
>FreeRADIUS server talking to our LDAP and SecurID servers.
Yes, server can get those values and make them available to the auth
Kalik Informatika ISP
More information about the Freeradius-Users