>Scenario: >To pilot the SecurID product, we selected VPN access to a part of our >network, protected by a Cisco ASA5500 series device. We are in the >process of moving away from the MS IAS RADIUS solution to FreeRADIUS. >We know that MS IAS cannot do what we want to do. > >What we want to do: >When a user attempts to access the VPN, have them provide their >username/password as well as (their same) username and tokencode from >their SecurID fob. It is OK if they provide the password and tokencode >separately or together. (I spoke to the folks at Radiator, and they >have a programming ability in their RADIUS server to chop up the >password field before it's authenticated, i.e. have the tokencode and >password provided in the same field at the client, then take the first >eight characters of the 'password' field, send that string plus the >username to SecurID via RADIUS, and the rest of the characters from the >'password' field and the username to our LDAP directory.) Ideally we >would prompt them for username, password and tokencode at the same time. > >Can FreeRADIUS do this (it seems that Access-Challenge is exactly what >we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to >solve our requirement?
Yes. There is no problem in composing Cleartext-Password "on the fly" from users password and the token.It shouldn't be too difficult to create a perl script that does that. You can have problems only id you insist that stored passwords should be encrypted. That can be sorted in reverse: you would split th User-Password from the request and create custom authentication script that would check both parts. But that will work only for pap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html