[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Two factor authentication to both LDAP directory and SecurID
From:       <tnt () kalik ! net>
Date:       2009-02-27 11:37:11
Message-ID: ROhHlr5h.1235734631.8487400.tnt () kalik ! net
[Download RAW message or body]

>So I think what will happen is this:
>- username/tokencode-password is passed from the Cisco ASA device
>- this data is passed in cleartext to the script
>   - script splits the username/tokencode and username/password
>   - script proxies the u/tc via RADIUS to SecurID
>   - script uses PAP to pass the u/p to out directory
>     - script does these checks in sequence or concurrently
>   - once both sets of credentials are accepted, an accept is passed
>back to the Cisco ASA device
>
>Does this sound right?
>

Mostly. You will have to get the password from ldap rather then send it
to it. And the check it in pre-proxy (save yourself a proxy if user/pass
don't match). This should work with pap requests.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]