Hi all, The problem I am trying to solve involves administrative logins to our firewalls, which currently run on Redhat Linux 6.2. In order to provide administrative accountability, individual accounts have to be created on each box for all of the administrators, and their passwords have to be maintained. Obviously, this doesn't scale well as we add boxes.
We have tried to leverage our existing SecurID authentication system as a way of strengthening the authentication model on the firewalls and eliminating the need to use host-specific user accounts. However, with the current RSA ACE/Agent for Linux, one must still login to the local machine before being prompted for the SecurID login. I'm looking for a way around that by leveraging pam_radius to talk to our existing Steel Belted RADIUS servers, which are already configured to proxy to our ACE/Servers. The problem is that pam_radius, from what I have been able to gather, does not support New PIN Mode, Next Tokencode Mode and other ACE-specific messages, which would be needed to properly support ACE authentication on an ongoing basis. Is anybody working on this, considering to do so, or has any alternative suggestions on how I might be able to do this without requiring two logins? Any help would be appreciated. Thanks, Utsav - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
