>So I think what will happen is this: >- username/tokencode-password is passed from the Cisco ASA device >- this data is passed in cleartext to the script > - script splits the username/tokencode and username/password > - script proxies the u/tc via RADIUS to SecurID > - script uses PAP to pass the u/p to out directory > - script does these checks in sequence or concurrently > - once both sets of credentials are accepted, an accept is passed >back to the Cisco ASA device > >Does this sound right? >
Mostly. You will have to get the password from ldap rather then send it to it. And the check it in pre-proxy (save yourself a proxy if user/pass don't match). This should work with pap requests. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html