FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
Alan DeKok
aland at deployingradius.com
Fri Nov 30 15:51:20 CET 2018
On Nov 30, 2018, at 8:57 AM, michael böhm <ksk2 at gmx.net> wrote:
> we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
>
> 1) Password change in OpenLDAP via FreeRADIUS
> ...
> Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?
It's only TACACS+.
The good news is that v4 should have a TACACS+ front end. It was working a few months ago, and then we did some rearchitecture. So it doesn't work today. But it's likely only a few days to get it working again.
> 2) Next-Token-Mode for RSA SecurID
>
> We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
>
> Is there a way to handle this in FreeRADIUS?
Sure. There's an rlm_securid module in the server. That should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list