Hi Ivan,
[email protected] wrote:
Scenario:
To pilot the SecurID product, we selected VPN access to a part of our
network, protected by a Cisco ASA5500 series device. We are in the
process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
We know that MS IAS cannot do what we want to do.
What we want to do:
When a user attempts to access the VPN, have them provide their
username/password as well as (their same) username and tokencode from
their SecurID fob. It is OK if they provide the password and tokencode
separately or together. (I spoke to the folks at Radiator, and they
have a programming ability in their RADIUS server to chop up the
password field before it's authenticated, i.e. have the tokencode and
password provided in the same field at the client, then take the first
eight characters of the 'password' field, send that string plus the
username to SecurID via RADIUS, and the rest of the characters from the
'password' field and the username to our LDAP directory.) Ideally we
would prompt them for username, password and tokencode at the same time.
Can FreeRADIUS do this (it seems that Access-Challenge is exactly what
we want: http://en.wikipedia.org/wiki/RADIUS#AAA) or a similar thing to
solve our requirement?
Yes. There is no problem in composing Cleartext-Password "on the fly"
from users password and the token.It shouldn't be too difficult to
create a perl script that does that.
Excellent! So the username and tokencode/password is passed from the
NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
extract the tokencode and password from the password field on the
FreeRADIUS server, right? This script would then present both sets of
credentials back to the FreeRADIUS server and they would then be
authenticated to their respective sources?
I take it that we cannot do this natively in FreeRADIUS without writing
such a script?
You can have problems only id you insist that stored passwords should be
encrypted. That can be sorted in reverse: you would split th
User-Password from the request and create custom authentication script
that would check both parts. But that will work only for pap requests.
I guess that we would prefer that the password is encrypted, we wouldn't
want the passwords to be able to be viewed by someone who had access to
the FreeRADIUS server. Can you elaborate on 'custom auth script', does
this mean that such a script would have to talk directly to our LDAP
directory as well as the SecurID server? I was hoping to have only the
FreeRADIUS server talking to our LDAP and SecurID servers.
Thanks,
--
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
