Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm" ksk2 at
Tue Dec 4 13:37:08 CET 2018

   Hi Alan,

   this seems to do exactly what we want:

           # In any case: check the LDAP and local user-file first

           # Case 1: No script-user -> 2FA
           if(User-Name !~ /^sc_.+$/) {
                   # Case 1.1: LDAP-PW + Token
                   if(User-Password =~ /^(.+)([0-9]{6})$/) {
                           # LDAP-password in %{1}
                           # Token in %{2}
                           update request {
                                   User-Password := "%{1}"
                           # Check password and reject if incorrect
                           update request {
                                   User-Password := "%{2}"
                           # Proxy the request to the SecurID-server
                           update control {
                                   Proxy-To-Realm := "securid"
                   # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
                   elsif(State && User-Password =~ /^([0-9]{6})$/) {
                           update control {
                                   Proxy-To-Realm := "securid"
           # Case 2: script-user
           else {

   Is my elsif(State ...)-statement a robust way to check if this packet
   belongs to a challenge-response of this exact user? I want to avoid
   situations where a user might be able to authenticate with just a Token
   and no password.

   We are testing the configuration now. Thank you very much for your

   I'll check back in a few weeks regarding the password change / TACACS+
   feature I asked for in my initial mail. For the moment we'll do the
   password changes via a web-interface for the LDAP which is fine.

   Best wishes


   Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr
   Von: "Alan DeKok" <aland at>
   An: "FreeRadius users mailing list"
   <freeradius-users at>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   On Dec 3, 2018, at 9:37 AM, michael böhm <ksk2 at> wrote:
   > with your hints I managed to get this running:
   That's good.
   > I get the error in freeradius -X:
   > (2) Found Auth-Type = PAP
   > (2) Found Auth-Type = Accept
   > (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
   > Can I ignore this?
   Yes. If you upgrade to 3.0.17, the message will go away.
   > Only one more problem is to solve:
   > In post-auth we have a Perl-script that relies on the groups that
   > from LDAP to make user rights decisions. When we are in
   > (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
   > to the Perl script.
   > Is there a way to tell freeradius to cache the LDAP-groups from the
   > last request for case 1.1 and use them in 1.2?
   You can cache LDAP groups in the session-state list. But they're only
   cached for a series of challenge/ response packets.
   Alan DeKok.
   List info/subscribe/unsubscribe? See



More information about the Freeradius-Users mailing list