2106 and RSA RADIUS

Similar Messages

• JAAS to RSA RADIUS Server

  I need to write a JAAS module that will validate passwords against an RSA RADIUS Server (via RSA's Authentication Manager).
  I'm not seeing the sort of api's I saw when I did a similar module for Siteminder, so a couple of questions:
  - Is there a Java API for RSA Authentication Manager? (I'm not finding one on their website or via Google)
  - If I need to use a RADIUS client what's the best (open source) choice?
  Thanks in advance-- Mike

  If I got your right, they provide you a RADIUS Server, so you don't need a special API. just go on sourceforge (www.sf.net) and try one of the available java radius client APIs to do the authentication as a proxy between your user and the RADIUS server.
  I wrote a very simple one back in 2001 for the authentication against a RADIUS server only and not a full implmenetation of standard, but I think now on sf you will find much more mature ones.

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• ISE and RSA token groups

  We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
  Axxxx, the other Bxxxx.
  Now we try to differ the authentications for the two group. One permit, the other deny.
  I am wondering whether the ISE can do this or not.
  thanks,
  Han

  ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• MD5 and RSA - Slow performance  - Help / Views Required

  Hi,
  I am facing a problem while signing a message.The
  scenario is:
  I have to create 20,000 messages to be sent to
  clients. I am encrypting the message using MD5 and
  RSA.
  But when i am encrypting via RSA it takes about 20
  mins to encrypt the 20k messages.I dont know why its
  taking so much time. I have max 4-5 mins to manipulate
  and send messages. The sample code is as follows:
  ur earliest help will be quite helpful.
  Thanks in advance
  Hassan
  ************** Source Code ****************
  import java.io.IOException;
  import java.math.BigInteger;
  import java.security.KeyFactory;
  import java.security.MessageDigest;
  import java.security.Signature;
  import java.security.PrivateKey;
  import java.security.spec.RSAPrivateKeySpec;
  import org.apache.log4j.Logger;
  public class Signer {
  ******************************************

  Hi Sabre,
  I have compiled the simple code from JCE tutorial for DES. The output text it is showing is different than input text.
  Is there any problem going on in tutorial's example ?
  Regards
  Hamid
  ******** output **************
  the original cleartext is: [B@13a328f
  the encrypted text is: [B@337838
  the final cleartext is: [B@119cca4
  ******** Code ************
  public class jCypher {
  private static Cipher desCipher = null;
  public static void main (String[] args) throws NoSuchAlgorithmException,
  InvalidKeyException, IllegalBlockSizeException, NoSuchProviderException,
  BadPaddingException, NoSuchPaddingException, Exception
  //Creating a Key Generator and Generating a Key
  //public static KeyGenerator getInstance(String algorithm);
  KeyGenerator keygen = KeyGenerator.getInstance("DES");
  SecretKey desKey = keygen.generateKey();
  // Creating a Cipher
  // Cipher.getInstance(Transformation);     
  // c1 = Cipher.getInstance("RSA/ECB/PKCS1Padding");     
  desCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
  // Cipher.init(int opmode, Key key);
  desCipher.init(Cipher.ENCRYPT_MODE, desKey );
  // Cleartext
  byte[] cleartext = "This is small Text for testing".getBytes();
  System.out.println("the original cleartext is: " + cleartext.toString());
  // Encrypt the cleartext
  // encrypted or decrypted data in one step (single-part operation)
  // public byte[] doFinal(byte[] input);
  byte[] ciphertext = desCipher.doFinal(cleartext);
  System.out.println("the encrypted text is: " + ciphertext.toString());
  // Initialize the same cipher for decryption
  desCipher.init(Cipher.DECRYPT_MODE, desKey );
  // Decrypt the ciphertext
  byte[] cleartext1 = desCipher.doFinal(ciphertext);
  System.out.println("the final cleartext is: " + cleartext1.toString());
  } // End main()
  }

• SPARC v240 can i install Solaris 10 and free Radius proxy software?

  On a SPARC v240 can i install Solaris 10 and free Radius proxy software?

  No, the patch was created on top of Solaris 10 packages. The patchadd utility requires that the VERSION strings match between the installed package's pkginfo file and the pkginfo files inside the patch. Unless the base package did not change between Solaris 9 and Solaris 10, the patch will not get applied because of the VERSION mismatch. But it is very unlikely that the packages did not change between the two releases.
  Even if you were to be able to install it, there could be dependencies that the patch's binaries have on other Solaris 10 binaries.
  -- Alan

• DES and RSA test applet

  Hello all,
  I have to test DES and RSA with some Java Card, but I have NO idea with it.
  Is there any sample applets or any good site to learn it?
  If I can have applet files, that will be great.
  Thanks a lot,
  Julie.

  This could be an issue, for example, if there is a card that doesn't implement javacardx.crypto. Creating Cipher myCipher as a member variable would throw an exception if it's not implemented on the card. This ultimatly will prevent it from being loaded.
  Take your CAP file and try to load it with the reference implementation and you'll see what I mean. Also, try to compile, and generate a CAP file outside the JCOP IDE environment. You'll see what ticks me off about the Sun kit. It would still generate the CAP file. BUT crypto isn't implemented in the Sun Kit. It should kick out an export not found message.
  Discarding objects aren't needed because, if you notice, the JC uses a facade design pattern for the crypto implementations to assure only one instance is created. That's the getInstance() methods.

• [Vision] Measuring the minimum and maximum radius of a particle

  Hi all,
  I'm currently developing an upgraded vision application that includes a particle sizing measurement using the IMAQ Particle Analysis VI.
  Currently I'm using the Equivalent Ellipse Major and Minor axes, which works fairly well but appears to overstate the area of the particles compared to the previous implementation of the software for this system.  The original software used a maximum and minium radius measurement using the actual perimiter of the particle rather than an equivalent ellipse.
  I'm looking at using Max Feret Diameter and Equivalent Ellipse Minor (Feret) instead, and I was wondering if anyone has any experience with this sort of measurement and can offer some advice?  I'm processing up to 100 particles per frame at around 7-8 fps, so I don't know if writing my own LabVIEW code to perform the measurement will be fast enough.
  Cheers
  Brett Percy
  Senior Software Development Engineer
  Certified LabVIEW Architect and LabVIEW Champion

  Hi Bjorn,
  I can detect the particles fine, the issue is with the particle size measurement.  As you can see from the image, most of the particles are not very round.  The previous version of the software caclulated a maxium and minimum radius of the particle, but there doesn't seem to be an exact equivalent in the LabVIEW vision library
  Cheers
  Brett
  Senior Software Development Engineer
  Certified LabVIEW Architect and LabVIEW Champion
  Attachments:
  6.png ‏1325 KB

• Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

  Hello,
  What we are trying to do:
  John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
  We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
  We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
  Here is what we are seeing
  1. dynamic vlan assignment is not working -- radius server is set with the attributes
  2. RSA authentication works
  3. John and Mary are always put into the VLAN where the MGMT interface is
  4. I can see that attributes are making it back to the WLC by sniffing
  We are stuck at this point. Any help would be much appreciated,
  P.

  Here is a little more background:
  We have created a dynamic interface in VLAN 157
  Wireless LAN has been assigned to MGMT interface which is on VLAN 35
  This is a VWLC ver 7.4.100
  AP is attached to VWLC (only FlexConnect mode is supported)
  RADIUS Server has been configured
  Users are getting assigned to VLAN 35
  Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
  I dont see any atttributes in the capture when RSA sends to the VWLC
  I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
  And to answer your question we have sending a VLAN ID (157)

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• Integration between Cisco RADIUS and RSA

  Ciao. I need some help to configure the RADIUS, activating the RSA "NEXT TOKEN CODE" feature. Can you help me?

  If you have maintenance with RSA or your product is license, you can contact their support and they can give a step-by-step guide in PDF.
  I've done similar using RSA and RADIUS for network staff login to all Cisco network devices using a token. The step-by-step guide provided by their support is very helpful.

• Help Please: WLC 2106 and RADIUS

  Hello,
  In the WLC there are two groups (say A and B).  How would I take group B and point it to a RADIUS server for authentication please?  Looking for a step by step answe please. The server is ping reachable.  I have seached  but did not see any difinitive answer.
  Thanks!

  You can achieve what you want per WLAN.
  configure authentication servers order in wlan settings as per this image:
  HTH
  Amjad
  You want to say "Thank you"?
  Don't. Just rate the useful answers,
  that is more useful than "Thank you".

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias