Two factor authentication to both LDAP directory and SecurID

Greg Vickers g.vickers at qut.edu.au
Wed Mar 4 03:08:06 CET 2009


Hi Ivan,

tnt at kalik.net wrote:
>> So I think what will happen is this:
>> - username/tokencode-password is passed from the Cisco ASA device
>> - this data is passed in cleartext to the script
>>   - script splits the username/tokencode and username/password
>>   - script proxies the u/tc via RADIUS to SecurID
>>   - script uses PAP to pass the u/p to out directory
>>     - script does these checks in sequence or concurrently
>>   - once both sets of credentials are accepted, an accept is passed
>> back to the Cisco ASA device
>>
>> Does this sound right?
> 
> Mostly. You will have to get the password from ldap rather then send it
> to it. And the check it in pre-proxy (save yourself a proxy if user/pass
> don't match). This should work with pap requests.

Ah, thank you!  Apologies for the (to you) obvious problems in my
questions and statements, I've never done any RADIUS or LDAP
configuration before.

Cheers,
-- 
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J




More information about the Freeradius-Users mailing list