Two factor authentication to both LDAP directory and SecurID

Greg Vickers g.vickers at
Fri Feb 27 04:17:28 CET 2009

Hi Ivan,

tnt at wrote:
>>> Yes. There is no problem in composing Cleartext-Password "on the fly"
>>> from users password and the token.It shouldn't be too difficult to
>>> create a perl script that does that.
>> Excellent!  So the username and tokencode/password is passed from the
>> NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
>> extract the tokencode and password from the password field on the
>> FreeRADIUS server, right?
> Yes. But you say later that you won't be using clear text passwords. So,
> forget that. Instead script will be spliting the value passed in the
> User-Password field in the request.

I've talked to the group who run our FreeRADIUS server and using clear 
passwords in this case is fine.

>> This script would then present both sets of
>> credentials back to the FreeRADIUS server and they would then be
>> authenticated to their respective sources?
>> I take it that we cannot do this natively in FreeRADIUS without writing
>> such a script?
> No.
>>> You can have problems only id you insist that stored passwords should be
>>> encrypted. That can be sorted in reverse: you would split th
>>> User-Password from the request and create custom authentication script
>>> that would check both parts. But that will work only for pap requests.
>> I guess that we would prefer that the password is encrypted, we wouldn't
>> want the passwords to be able to be viewed by someone who had access to
>> the FreeRADIUS server.
> That would limit you to using pap authentication.

We use PAP authentication to authenticate to our directory, so no 
problems there.

>> Can you elaborate on 'custom auth script', does
>> this mean that such a script would have to talk directly to our LDAP
>> directory as well as the SecurID server?
> No.
>> I was hoping to have only the
>> FreeRADIUS server talking to our LDAP and SecurID servers.
> Yes, server can get those values and make them available to the auth
> script.

So I think what will happen is this:
- username/tokencode-password is passed from the Cisco ASA device
- this data is passed in cleartext to the script
   - script splits the username/tokencode and username/password
   - script proxies the u/tc via RADIUS to SecurID
   - script uses PAP to pass the u/p to out directory
     - script does these checks in sequence or concurrently
   - once both sets of credentials are accepted, an accept is passed 
back to the Cisco ASA device

Does this sound right?

Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J

More information about the Freeradius-Users mailing list