I have a site that wants to do step-up or graded authentication for
certain protected (proxied) resources.

They use Kerberos auth for most resources but want to use RSA tokens
(via RADIUS) for certain applications.

So they created a new contract that with a higher auth level that has
both Kerberos (identifies user) and RADIUS (does NOT identify user)

This works, when a user goes to a resource protected by this new
contract, they are prompted for user name and token. However, they
don't like that fact that the user has to enter their username again
since they already have a session from the lower level contract that
only has Kerberos.

Is there a way to do this graded or step-up auth and require the token
but NOT require re-entering of the user ID?



matt's Profile: https://forums.netiq.com/member.php?userid=183
View this thread: https://forums.netiq.com/showthread.php?t=51985