Both the LDAP authentication and proxying to RSA are working properly. To get the two working together I have tried changing the response for the LDAP auth from Access-Accept to Access-Challenge if the request comes from the correct NAS-IP.
if(NAS-IP-Address == 10.0.0.1){ update control{ Response-Packet-Type := Access-Challenge } updated } After the authentication is performed further attributes have been added. if(NAS-IP-Address == 10.0.0.1){ update reply{ Packet-Type := Access-Challenge State := 1 Reply-Message := "Token Code" } ok } This gives the following reply. Packet-Type = Access-Accept Packet-Type = Access-Challenge State = 0x31 Reply-Message = "Token Code" The following is the debug output: ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 193 ++[files] returns ok ++? if (NAS-IP-Address == 10.0.0.1) ? Evaluating (NAS-IP-Address == 10.0.0.1) -> TRUE ++? if (NAS-IP-Address == 10.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 10.0.0.1) +++[control] returns ok +++[updated] returns updated ++- if (NAS-IP-Address == 10.0.0.1) returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for bob WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bob) expand: ou=people,...-> ou=people,... rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,..., with filter (uid=bob) rlm_ldap: Added the eDirectory password password00 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute eduPersonPrincipalName as RADIUS attribute Principal-Name == "bob" rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: looking for reply items in directory... rlm_ldap: user bob authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (NAS-IP-Address == 10.0.0.1) ? Evaluating (NAS-IP-Address == 10.0.0.1) -> TRUE ++? if (NAS-IP-Address == 10.0.0.1) -> TRUE ++- entering if (NAS-IP-Address == 10.0.0.1) +++[reply] returns ok +++[ok] returns ok ++- if (NAS-IP-Address == 10.0.0.1) returns ok ++[expiration] returns noop ++[logintime] returns noop Can the Access-Accept be changed to an Access-Challenge? Thanks _________________________________________________________________ Need a new place to rent, share or buy? Let ninemsn property help http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange&_t=757263783&_r=SEEK_tagline&_m=EXT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html