Access-Challenge authentication via both LDAP and SecurID

Amy Hawke a_hawke at hotmail.com
Wed Jan 28 05:35:40 CET 2009


Both the LDAP authentication and proxying to RSA are working properly.  To get the two working together I have tried changing the response for the LDAP auth from Access-Accept to Access-Challenge if the request comes from the correct NAS-IP.
 

        if(NAS-IP-Address == 10.0.0.1){
                update control{
                        Response-Packet-Type := Access-Challenge
                }
                updated
        }
 
After the authentication is performed further attributes have been added.  

        if(NAS-IP-Address == 10.0.0.1){
                update reply{
                       Packet-Type := Access-Challenge
                       State := 1
                       Reply-Message := "Token Code"
                }

                ok
        }
 
 
This gives the following reply.
 
        Packet-Type = Access-Accept
        Packet-Type = Access-Challenge
        State = 0x31
        Reply-Message = "Token Code"

 
 
The following is the debug output:
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
    users: Matched entry DEFAULT at line 193
++[files] returns ok
++? if (NAS-IP-Address == 10.0.0.1)
? Evaluating (NAS-IP-Address == 10.0.0.1) -> TRUE
++? if (NAS-IP-Address == 10.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 10.0.0.1)
+++[control] returns ok
+++[updated] returns updated
++- if (NAS-IP-Address == 10.0.0.1) returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bob
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bob)
        expand: ou=people,...-> ou=people,...
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,..., with filter (uid=bob)
rlm_ldap: Added the eDirectory password password00 in check items as Cleartext-Password
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute eduPersonPrincipalName as RADIUS attribute Principal-Name == "bob"
rlm_ldap: LDAP attribute ...
rlm_ldap: LDAP attribute ...
rlm_ldap: LDAP attribute ...
rlm_ldap: LDAP attribute ...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user bob authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0

++[ldap] returns ok
++? if (NAS-IP-Address == 10.0.0.1)
? Evaluating (NAS-IP-Address == 10.0.0.1) -> TRUE
++? if (NAS-IP-Address == 10.0.0.1) -> TRUE
++- entering if (NAS-IP-Address == 10.0.0.1)
+++[reply] returns ok
+++[ok] returns ok
++- if (NAS-IP-Address == 10.0.0.1) returns ok
++[expiration] returns noop
++[logintime] returns noop


Can the Access-Accept be changed to an Access-Challenge?
 
Thanks
 
 

 
_________________________________________________________________
Need a new place to rent, share or buy? Let ninemsn property help
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange&_t=757263783&_r=SEEK_tagline&_m=EXT



More information about the Freeradius-Users mailing list