[EMAIL PROTECTED] wrote: > If the RSA Authentication Manager, finds that the token is in New Pin > or Next Tokencode mode, it will issue an Access-Challenge message with > the Reply-Message attribute explaining the next step. > The client is expected to display the text, and prompt the user, then > send another Access-Request with the response in the password > attribute. This exchange can continue through several steps, until an > Access-Accepted or -Rejected is received. > > Only a few RADIUS test clients can actually deal with this. I don't > know (off the top of my head) which production clients we recommend.
The pam_radius_auth module on FreeRADIUS.org was written specifically to deal with this situation. > Of course, for the best security the EAP-POTP method is our > recommended authentication protocol. I don't suppose you have server code to contribute? :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html