Two factor authentication to both LDAP directory and SecurID

tnt at tnt at
Fri Feb 27 12:37:11 CET 2009

>So I think what will happen is this:
>- username/tokencode-password is passed from the Cisco ASA device
>- this data is passed in cleartext to the script
>   - script splits the username/tokencode and username/password
>   - script proxies the u/tc via RADIUS to SecurID
>   - script uses PAP to pass the u/p to out directory
>     - script does these checks in sequence or concurrently
>   - once both sets of credentials are accepted, an accept is passed
>back to the Cisco ASA device
>Does this sound right?

Mostly. You will have to get the password from ldap rather then send it
to it. And the check it in pre-proxy (save yourself a proxy if user/pass
don't match). This should work with pap requests.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list