Two factor authentication to both LDAP directory and SecurID
g.vickers at qut.edu.au
Fri Feb 27 04:17:28 CET 2009
tnt at kalik.net wrote:
>>> Yes. There is no problem in composing Cleartext-Password "on the fly"
>>> from users password and the token.It shouldn't be too difficult to
>>> create a perl script that does that.
>> Excellent! So the username and tokencode/password is passed from the
>> NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
>> extract the tokencode and password from the password field on the
>> FreeRADIUS server, right?
> Yes. But you say later that you won't be using clear text passwords. So,
> forget that. Instead script will be spliting the value passed in the
> User-Password field in the request.
I've talked to the group who run our FreeRADIUS server and using clear
passwords in this case is fine.
>> This script would then present both sets of
>> credentials back to the FreeRADIUS server and they would then be
>> authenticated to their respective sources?
>> I take it that we cannot do this natively in FreeRADIUS without writing
>> such a script?
>>> You can have problems only id you insist that stored passwords should be
>>> encrypted. That can be sorted in reverse: you would split th
>>> User-Password from the request and create custom authentication script
>>> that would check both parts. But that will work only for pap requests.
>> I guess that we would prefer that the password is encrypted, we wouldn't
>> want the passwords to be able to be viewed by someone who had access to
>> the FreeRADIUS server.
> That would limit you to using pap authentication.
We use PAP authentication to authenticate to our directory, so no
>> Can you elaborate on 'custom auth script', does
>> this mean that such a script would have to talk directly to our LDAP
>> directory as well as the SecurID server?
>> I was hoping to have only the
>> FreeRADIUS server talking to our LDAP and SecurID servers.
> Yes, server can get those values and make them available to the auth
So I think what will happen is this:
- username/tokencode-password is passed from the Cisco ASA device
- this data is passed in cleartext to the script
- script splits the username/tokencode and username/password
- script proxies the u/tc via RADIUS to SecurID
- script uses PAP to pass the u/p to out directory
- script does these checks in sequence or concurrently
- once both sets of credentials are accepted, an accept is passed
back to the Cisco ASA device
Does this sound right?
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J
More information about the Freeradius-Users