RSA ACE Authentication

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

RSA ACE Authentication

Mike Keller-2
Ok, before I get flamed up, I know this isnt
supported, I just want to know if anyone has tried it.

I would like to use an RSA / ACE server to
authenticate locally on 3.8 (through radius).

And

I would like to run the RSA Authentication Agent 5.2
for Web on Apache.  It is only supported for  RH Linux
and Sun.  I was able to hack up the install and config
command scripts enough to where it will install, but I
can't get apache to run when I try adding the module.
I have it running on IIS, but I'd really like to to
move away from M$ / IIS.

Again, I realize it isnt supported, I am just curious
if anyone has tried / had any success with it.  I'd be
happy to discuss off the group, or to be pointed to
another list / url.  

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: RSA ACE Authentication

Joachim Schipper
On Thu, Feb 02, 2006 at 03:39:47PM -0800, Mike Keller wrote:

> Ok, before I get flamed up, I know this isnt
> supported, I just want to know if anyone has tried it.
>
> I would like to use an RSA / ACE server to
> authenticate locally on 3.8 (through radius).
>
> And
>
> I would like to run the RSA Authentication Agent 5.2
> for Web on Apache.  It is only supported for  RH Linux
> and Sun.  I was able to hack up the install and config
> command scripts enough to where it will install, but I
> can't get apache to run when I try adding the module.
> I have it running on IIS, but I'd really like to to
> move away from M$ / IIS.
>
> Again, I realize it isnt supported, I am just curious
> if anyone has tried / had any success with it.  I'd be
> happy to discuss off the group, or to be pointed to
> another list / url.  

I don't have any specific experience with what you are trying to do, but
if you can get RADIUS running you should be able to use mod_auth_radius,
from the looks of it.

Locally, there is a 'radius' authentication mechanism, which should do
just fine. Hack login.conf to use it by default.

So it looks like the only thing really unsupported would be the RADIUS
server, but I don't know what you are using for that, so I can't really
comment.

                Joachim

Reply | Threaded
Open this post in threaded view
|

Re: RSA ACE Authentication

K Kadow
In reply to this post by Mike Keller-2
On 2/2/06, Mike Keller <[hidden email]> wrote:
> I would like to use an RSA / ACE server to
> authenticate locally on 3.8 (through radius).

As Joachim pointed out, there is the generic "login_radius" authenticator.

login_radius works (most of the time) to authenticate against the remote RADIUS
service on your remote ACE/Server.  There are a few bugs with login_radius,
primarily I've found that it just doesn't work at all for console
logins via RSA/ACE,
sends "blank password" authentication attempts which tend to confuse ACE/Server,
and has trouble with "new PIN" and "next tokencode" mode.

Enabling login_radius is as simple as adding an Agent Host to your ACE/Server,
with a shared secret, creating /etc/raddb/servers to contain the secret, and
modifying login.conf to add the radius server information and authentication
settings.

If you enable radius authentication in the default class, you will likely want
to explicitly disable login_radius for the 'daemon' class.


> I would like to run the RSA Authentication Agent 5.2
> for Web on Apache.  It is only supported for  RH Linux
> and Sun.

TMK, the agent on OpenBSD is a non-starter, I doubt it can be successfully used
on OpenBSD with without support from RSA, without at least a native library to
link against.  (Please, please prove me wrong).

You can use one of the RADIUS authentication modules for Apache,
mod_auth_radius works on OpenBSD, though it also has trouble with
"new PIN" and "next tokencode" mode.


> Again, I realize it isnt supported, I am just curious
> if anyone has tried / had any success with it.  I'd be
> happy to discuss off the group, or to be pointed to
> another list / url.

I moderate the unofficial securid-users mailing list on Yahoo! groups,
discussion of RSA's ACE/SecurID product on OpenBSD is more than welcome
on the securid-users list, info is here:
     http://groups.yahoo.com/group/securid-users

Kevin Kadow