ACS 5.3 Integration With RSA

Hi People,
I have Integrated the ACS 5.3 with AD.
Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.
The enable privilege level should come from the RSA Token OTP.
Is it possible to do such a thing with ACS 5.3???
If so how could i do it???
Thanks,
Manoj

I think that can try and make a rule in the identity policy based on the Service attribute in the TACACS+ dictionary
(this is not tested and based on my recollection so would need your verification)
1) Create a custom condition for the service attribute in TACACS+ dictionary
Policy Elements > Session Conditions > Custom
Create: Dictionary: TACACS+ ; Attribute:Service
2) Utilize in a rule in Device Admin identity policy
Access Policies > Access Services > Default Device Admin > Identity
Sselect a rule based
Customize based on condition in 1
Create a rule for when Service is "Enable". Select identity source as RSA in this case

Similar Messages

  • Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range).

    Hello Everyone,
    Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range). If yes, how?
    Thanks,
    Rishi

    Rishi,
    Are you looking to leverage certain group in AD to be assigned to a specific subnet? If yes, then this can be done through dynamic vlan assignment.
    Thanks,
    Tarik Admani

  • Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

    How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

  • Tacacs+ access issue with ASA firewall after integrating with RSA SecureID

    Hi,
    In my earlier post,  I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
    Did any one face similar issue with ASA access ?
    Rgds
    Siddhesh

    Hi Siddesh,
    In order to help you here, I need to know few things:
    1.] Show run | in aaa
    2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
    3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Urgent Help - OBIEE11.1.1.6 SSO INTEGRATION WITH RSA CLEARTRUST

    Can anyone help me what are the steps that need to be done to integrate OBIEE 11G Single sign on with RSA Clear trust. Any help will be appreciated

    Check this links
    http://docs.oracle.com/cd/E10415_01/doc/bi.1013/b40058.pdf
    see 5 and 8 chapters
    and also
    http://debaatobiee.wordpress.com/tag/rsa-obiee-siebel-analytics/
    Pls mark if helps

  • Webaccess integrated with rsa

    Hi,
    How do I integrate webaccess with RSA authentication?
    I really need a double authentication for security reasons.
    regards,
    Marcel

    Hi,
    I know this questions is 2 years old, but we like to do the same and searching for a solution.
    When someone have a solution for this, please post.
    Here our setup:
    GWIA 8.0.2hp2 is on Netware 6.5sp6
    GWWEB 8.0.2hp2 is on SLES11sp1
    regards,
    Dirk
    >>> Marcel Krai<[email protected]> schrieb am Samstag, 31. Januar 2009 um 16:16 in Nachricht <CXZgl.5153$[email protected]>:
    Hi,
    Gw8 running on netware 6.5sp7
    Webaccess running on linux (sles10 x86-64)
    regards,
    Marcel
    "gerdesj" <[email protected]> wrote in message
    news:[email protected]..
    >
    > Marcel Krai;1725547 Wrote:
    >> Hi,
    >>
    >> How do I integrate webaccess with RSA authentication?
    >> I really need a double authentication for security reasons.
    >>
    >> regards,
    >> Marcel
    >
    > GWWA is a web application ie it is hosted in Tomcat and generally front
    > ended via Apache. So your question probably becomes:
    >
    > "How do I integrate a web application accessed through Apache with RSA
    > authentication?"
    >
    > This should be covered by a support call to your RSA vendor. Failing
    > that some hunting around with a search engine.
    >
    > Your platform (NetWare/Linux/Windows etc) and versions (GW/OS etc)
    > would be useful to anyone wishing to provide advice.
    >
    >
    > --
    > gerdesj
    > ------------------------------------------------------------------------
    > gerdesj's Profile: http://forums.novell.com/member.php?userid=4527
    > View this thread: http://forums.novell.com/showthread.php?t=358578
    >

  • Cisco ACS 4.2 integration with Active Directory

    Hello,
    I´m new in the administration of ACS, we have recently implemented on server ACS version 4.2
    for manager all users authorization for our Network.
    We are in one environement which have an Active Directory, group and users.
    Now, i´m just able to creat a new user in ACS and work with on the Client SWITCH, what i need to do, is to integrate my ACS 4.2 with Active Directory.
    for work with the user and Group that a register in my AD.
    Someon can help me please?

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

  • ACS 4.2 integration with AD 2008 R1

    Hi,
    I have configured my WLC 4402 for Radius authentication using Cisco ACS server version 4.2 Patch 4.
    When using Local Database of ACS my Wireless Users are able to authenticate but users are not able to authenticate from External Database of Windows AD 2008 R1.
    In ACS logs I am getting the this error-
    Authentication session timed out. Challenge not provided by client.
    Please suggest.
    Thanks in advance,
    Pulkit

    Can you raise the service control to full and try again? You will need login into the machine (I am assuming acs for windows) and then analyze the auth.log and the rds.log and see if you are having any windows related errors in the auth.logs and see what the issue is in the RDS logs.
    Which authentication protocol are you using? Leap, eap-tls. PEAP?
    thanks,
    Tarik

  • ACS and CAR integration

    Hi,
    Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
    I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
    Thanks,
    Habib U Dashti

    Hi Habib,
    Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
    And CAR has its own database & does not support DB-2.
    Thanks.

  • ACS Express integration with Active Directory

    Hello,
    I have ACS Express version 5.0.1 installed on Cisco ADE; I'm trying to get it integreated with an Active Directory without sucess.
    I did packet captures on the ASA that is in between and I can see communication going thru just fine. I ran a diagnostic on the ACS express and got this:
    DIAGNOSTIC USING THE IP ADDRESS OF THE DOMAIN CONTROLLER:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Output of AD Domain Diagnostics:
    IP Diagnostics
    Local host name: he-zfm-acs-01
    Local IP Address: 172.31.67.10
    Not found in DNS!Make sure it is in Reverse Lookup Zone.
    FQDN host name:he-zfm-acs-01.clarocr.americamovil.ca1
    Domain Diagnostics:
    Domain: 172.24.2.93
    Subnet site:
    WARNING! Unable to locate computer's subnet site in Active Directory.
    Ask your Active Directory administrator to add this computer's subnet
    to the appropriate site.
    DNS query for: _ldap._tcp.172.24.2.93
    Found no SRV records!
    Computer Account Diagnostics
    Not joined to any domain
    AD Agent Process Status: Not joined to any domain
    DIAGNOSTIC USING THE AD REALM:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Output of AD Domain Diagnostics:
    IP Diagnostics
    Local host name: he-zfm-acs-01
    Local IP Address: 172.31.67.10
    FQDN host name:he-zfm-acs-02.clarocr.americamovil.ca1
    Domain Diagnostics:
    Domain: CLAROCR.AMERICAMOVIL.CA1
    Subnet site: TELECOM
    DNS query for: _ldap._tcp.CLAROCR.AMERICAMOVIL.CA1
    Found SRV records:
    rom-pro-dc-03.clarocr.americamovil.ca1:389
    Testing Active Directory connectivity:
    Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1
    ldap: 389/tcp - good
    ldap: 389/udp - good
    smb: 445/tcp - good
    kdc: 88/tcp - good
    kpasswd: 464/tcp - good
    ntp: 123/udp - good
    Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:389
    Domain controller type: Windows 2003
    Domain Name: CLAROCR.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Forest Name: AMERICAMOVIL.CA1
    DNS query for: _gc._tcp.AMERICAMOVIL.CA1
    Testing Active Directory connectivity:
    Global Catalog: rom-des-dc-01.desa1sv.americamovil.ca1
    gc: 3268/tcp - timeout
    No TCP LDAP response, giving up on rom-des-dc-01.desa1sv.americamovil.ca1
    Global Catalog: rom-amv-dc-02.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-tlc-dc-01.telecom.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-pro-dc-03.clarocr.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-tlc-dc-02.telecom.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-amv-dc-01.americamovil.ca1
    gc: 3268/tcp - good
    Domain Controller: rom-amv-dc-02.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-tlc-dc-01.telecom.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: TELECOM.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: CLAROCR.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-tlc-dc-02.telecom.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: TELECOM.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-amv-dc-01.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Forest Name: AMERICAMOVIL.CA1
    Computer Account Diagnostics
    Not joined to any domain
    AD Agent Process Status: Not joined to any domain

    Dennis,
    TIme in sync on the ACS and AD servers?
    Faisal

  • Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

    Hi,
    Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
    Thanks in advance for any input!
    Tina

    Hi,
    I have an update for this quite broad question.
    I have now came a bit further on the path.
    Now the needed Radius Access Attribute are available in ISE after adding them in
    "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
    I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
    Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
    With that I could really see the attributes in the radius access requests going in to the ASA.
    Now looking at a request in "Radius Authentication details" I have
    Other Attributes:
    ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
    Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
    That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
    So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
    Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
    What could it be I have missed?
    Best regards
    /Mattias

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • Cisco Works LMS 3.1 Integration with ACS v5.2

    Hello Experts,
    our customer has a working integration with the Cisco Works LMS 3.1 and an ACS v3.3 as it is described in this document:
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
    Now we are changing the old ACS Servers to the new ACS v5.2 platform. Is it possible to integrate the LMS to the new ACS Server? We want to use a granular user access restriction for SuperAdmins, Hotline Users an so on...
    Thanks,
    Florian

    Hi Florian,
    actually the ACS 5.2 is not supported in CS 3.2
    here is a list of the supported ACS servers under LMS 3.1
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.2/user/guide/admin.html#wp865998

  • All the devices not showing after CSM integration with ACS

    Hi all
    I integrated ACS with CSM and added all the security devices into ACS as client devices.But after integration with with ACS only few devices are shown in the CSM when i logged in as super admin.for all other users (system admin,network operator etc.),no devices are shown in the CSM.Please give me a solution to solve this.

    Did you have devices already in CSM when you integrated it into ACS ? Did you make sure that the hostname of the devices is exactly the same in acs and csm ?

  • ACS Integration with Microsoft Active Directory Services

    Hello Everyone,
    I've been tasked to design the integration of ACS with MS AD. What I want to know is the below assuming I have a software ACS or a ACS device and the protocol for authentication is Radius
    - What is the criteria for the AD to integrate with ACS software of appliance
    - Should that AD be hosted on the domain controller or not?
    - If not, on what (Domain Controller, Tree, Forest, Branch, Flower, Fruit  ) should the AD be hosted on?
    - What will I have to do to authenticate users logging into Cisco Security Manager with ACS integrated with AD?
    - Are there any other dependencies that I will have to categorically mention in my design document?
    Thanks,
    Rishi

    In ACS v5.x, there is a screen for integrating the ACS with AD. 
         (Users and Identity Stores > External Identity Stores > Active Directory)
    Just enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain.  This allows you to use existing AD credentials to login and administer your network devices. 
    Tying the ACS to AD really only takes one screen and less than a minute, but you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence (Users and Identity Stores > Identity Store Sequences) to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts.  The permissions part is still fairly quick, and it only takes me about 45 minutes to build an ACS from scratch including all AD integration and custom RADIUS attributes for some of our devices. 
    The authentication would occur like this:
    User SSH/telnet/console to device
    Device contacts ACS using TACACS or RADIUS
    User receives login prompt and enters AD credentials
    Devices sends credentials to ACS
    ACS validates credentials in AD
    ACS sends authentication OK message to Device
    Device logs user in.
    Command Authorization looks something like this:
    User enters a command
    Device sends command authorization request to ACS
    ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group
    Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device
    Device allows or denies the user command.
    Criteria:  We use an ACS 5.2 virtual machine and have had it work perfectly with Server 2003 and Server 2008.
    AD is hosted on our local domain controller (Bonus:  no planting of flowers required!)
    Dependencies: 
    Issue:  The Device looks to ACS.  ACS looks to AD.  If AD fails, users cannot use their AD credentials to login.
              Device ---> ACS ---> AD
    Solution:  Configure the Device to look at ACS first, then a local table if ACS is not available.  Also, configure the ACS to look at AD first, then a local ACS account list if AD is not available.  (You can configure local user accounts on the Device and in the ACS) 
              Device ---> ACS ---> AD
              Device ---> ACS ---> AD ---> ACS local
              Device ---> ACS ---> AD ---> ACS local ---> Device local
    The new version of Cisco ACS is UNIX-based, and you can download a free trial to load up and try before you buy.  It is far FAR superior to the old ACS v3.3 that we had for years.
    I hope this helps for your design document!
    --Chris

Maybe you are looking for

  • PR Overall release issue

    PR release  strategy issue comes when Line items in PR added by two different persons, PR Release strategy(overall release)  not getting triggered. Release strategy is working fine if i create PR with only one user id. Both id's maintained in classif

  • How to populate iTunes library on external hard drive onto new MBP.

    I have a Powerbook G4 that is slowly dying. I have a new MBP that I want to populate my iTunes library onto without moving my music off my external hard drive. I've tried holding down the OPTION key while launching iTunes and selecting the iTunes Lib

  • [Solved] headless server suggestions

    Hi everybody... more of a archlinux user poll. I'm running a server previously centos / debian... now arch64 which it purrrrsssss happily with. I got all my samba torrent stuff figured out. Now I want to make this thing headless. I've heard that free

  • Import a database

    Hi, I want to import a database A(Source) to another database B(Target). Scenario is as follows Database A HIN          Name          Father          Date 1234501     Rahul          Suresh          01/01/2011 Database B HIN          Name          Fat

  • Regarding status of job

    Hi friends, we  are having some  rapidmart , one of the rapid mart job server shows red in color in data services management console Iam just gettinng confusion whether the job or data has been scheduled succesfully or not? or Job has already schedul