FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok aland at
Mon Dec 3 19:43:38 CET 2018

On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2 at> wrote:
>   with your hints I managed to get this running:

  That's good.

>   I get the error in freeradius -X:
>   (2) Found Auth-Type = PAP
>   (2) Found Auth-Type = Accept
>   (2) ERROR: Warning:  Found 2 auth-types on request for user '<user>'
>   Can I ignore this?

  Yes.  If you upgrade to 3.0.17, the message will go away.

>   Only one more problem is to solve:
>   In post-auth we have a Perl-script that relies on the groups that come
>   from LDAP to make user rights decisions. When we are in Next-Token-Mode
>   (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
>   to the Perl script.


>   Is there a way to tell freeradius to cache the LDAP-groups from the
>   last request for case 1.1 and use them in 1.2?

  You can cache LDAP groups in the session-state list.  But they're only cached for a series of challenge/ response packets.

  Alan DeKok.

More information about the Freeradius-Users mailing list