Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
"michael böhm"
ksk2 at gmx.net
Mon Dec 3 14:00:56 CET 2018
Hi Alan
we've decided to use the Radius-interface of the SecurID-server and not
the proprietary protocol.
Now I need unlang to make the access decision:
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
ACCEPT to NAS
I tried it like that in the authorize-section but it did not work:
filter_username
preprocess
# %{1} = ldap-password
# %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
update control {
Proxy-To-Realm := "securid"
}
update request {
User-Password := "%{1}"
}
ldap
}
pap
The proxying itself is working fine but not the correlation of the two
results.
Could you please give me a minimal example of how to create this
and-logic in unlang?
Thanks and best wishes
Michael
Gesendet: Freitag, 30. November 2018 um 16:26 Uhr
Von: "Alan DeKok" <aland at deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
On Nov 30, 2018, at 10:24 AM, michael böhm <ksk2 at gmx.net> wrote:
> Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We
have
> some that are Radius-only.
It means that *FreeRADIUS* can do TACACS+.
> I did not find the rlm_securid-module in my installation.
It isn't included with any pre-built packages.
> Do I have to
> compile it myself?
Yes.
> Is there a documentation somewhere? Does the module
> use the proprietary protocol from RSA or Radius?
It links to the SecurID libraries. It's documented in
src/modules/rlm_securid/ in the source tree.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html
References
1. http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list