Hi Ivan,
t...@kalik.net wrote:
Yes. There is no problem in composing Cleartext-Password "on the fly"
from users password and the token.It shouldn't be too difficult to
create a perl script that does that.
Excellent! So the username and tokencode/password is passed from the
NAS (ASA5500) to the FreeRADIUS server and we create a (perl) script to
extract the tokencode and password from the password field on the
FreeRADIUS server, right?
Yes. But you say later that you won't be using clear text passwords. So,
forget that. Instead script will be spliting the value passed in the
User-Password field in the request.
I've talked to the group who run our FreeRADIUS server and using clear
passwords in this case is fine.
This script would then present both sets of
credentials back to the FreeRADIUS server and they would then be
authenticated to their respective sources?
I take it that we cannot do this natively in FreeRADIUS without writing
such a script?
No.
You can have problems only id you insist that stored passwords should be
encrypted. That can be sorted in reverse: you would split th
User-Password from the request and create custom authentication script
that would check both parts. But that will work only for pap requests.
I guess that we would prefer that the password is encrypted, we wouldn't
want the passwords to be able to be viewed by someone who had access to
the FreeRADIUS server.
That would limit you to using pap authentication.
We use PAP authentication to authenticate to our directory, so no
problems there.
Can you elaborate on 'custom auth script', does
this mean that such a script would have to talk directly to our LDAP
directory as well as the SecurID server?
No.
I was hoping to have only the
FreeRADIUS server talking to our LDAP and SecurID servers.
Yes, server can get those values and make them available to the auth
script.
So I think what will happen is this:
- username/tokencode-password is passed from the Cisco ASA device
- this data is passed in cleartext to the script
- script splits the username/tokencode and username/password
- script proxies the u/tc via RADIUS to SecurID
- script uses PAP to pass the u/p to out directory
- script does these checks in sequence or concurrently
- once both sets of credentials are accepted, an accept is passed
back to the Cisco ASA device
Does this sound right?
Cheers,
--
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
