>> Yes. There is no problem in composing Cleartext-Password "on the fly" >> from users password and the token.It shouldn't be too difficult to >> create a perl script that does that. > >Excellent! So the username and tokencode/password is passed from the >NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to >extract the tokencode and password from the password field on the >FreeRADIUS server, right?
Yes. But you say later that you won't be using clear text passwords. So, forget that. Instead script will be spliting the value passed in the User-Password field in the request. >This script would then present both sets of >credentials back to the FreeRADIUS server and they would then be >authenticated to their respective sources? > >I take it that we cannot do this natively in FreeRADIUS without writing >such a script? > No. >> You can have problems only id you insist that stored passwords should be >> encrypted. That can be sorted in reverse: you would split th >> User-Password from the request and create custom authentication script >> that would check both parts. But that will work only for pap requests. > >I guess that we would prefer that the password is encrypted, we wouldn't >want the passwords to be able to be viewed by someone who had access to >the FreeRADIUS server. That would limit you to using pap authentication. >Can you elaborate on 'custom auth script', does >this mean that such a script would have to talk directly to our LDAP >directory as well as the SecurID server? No. >I was hoping to have only the >FreeRADIUS server talking to our LDAP and SecurID servers. > Yes, server can get those values and make them available to the auth script. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html