FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok aland at
Tue Dec 4 13:43:04 CET 2018

On Dec 4, 2018, at 7:37 AM, michael böhm <ksk2 at> wrote:
>   Is my elsif(State ...)-statement a robust way to check if this packet
>   belongs to a challenge-response of this exact user?


a) the user specified in the User-Name, and

b) a response to a previous Access-Challenge.

> I want to avoid
>   situations where a user might be able to authenticate with just a Token
>   and no password.

  Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.

>   We are testing the configuration now. Thank you very much for your
>   help!

  You're welcome.

  Alan DeKok.

More information about the Freeradius-Users mailing list