802.1x ACS RSA Secure ID/Safeword Token server

Similar Messages

• ACS 4.2 with multiple RSA secure ID token servers

  Hi all,
  I have a question which I couldn't find an answer to so far.  Below is a very brief explaination of what I have and what I need to do.
  What I have:
  1- An ACS 4.2 server installed on win 2003 with RSA agent installed.
  2- A RSA Secure ID Token Authentication manger 7.1
  The problem:
  Due to lost RSA master password I am unable to back the DB up and upgrade RSA AM 7.1 to 7.1 SP4.
  So far all the solution I have found and been told to do by RSA support have not enabled me to recover the lost password.
  What I want to do:
  I want to install a fresh copy of RSA AM 7.1 SP4 on Win 2008 R2
  Since I can't make a DB backup from the running RSA, once I install the fresh copy I will migrate users one by one
  My question:
  This is a very busy production environment and users can't tolorate down time at all.
  I need to keep everything running, I need to know if it is possible to have 2 RSA data sotres setup within ACS 4.2 or not?
  And if so, will migrated users to the new RSA installation be still able to authenticate or not?
  Can ACS send multiple authentication request simultaneously or not? And what happenes if a user is present in both instances of RSA, old and new?
  Thanks,
  Khash

  I have this setup and working. Set up an external database connection on the ACS for a RADIUS server (not RSA) and setup your RSA server with the RADIUS shared secret. Check IP connectivity between both,and make sure that the RSA server is the first database to be queried. Here you are just using Radius to pass through the auth from the ACS to the RSA server.

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• RSA Secure ID - seed file query

  Hello!
  I had to come to Microsofts forum for help, as the company behind RSA don't have support for ''non-enterprise'' (coined) customers. 
  My company installed RSA Secure ID so I can generate a ''soft token'' to log onto my companies Citrix apps, and open CRM software etc.  
  This soft token works with a ''seed file'' that my company gives me, that is unique to a serial number that RSA generates based on my unique PC. 
  My question is this; I know that the seedfile I received is bound to my hard drive as the software generates a unique serial number for
  every install, and it pertains to the hardware (and perhaps bound to the motherboard also)
  I'm wondering that if I need to re install Windows 8.1 (eg
  system image restore)  onto the same hard drive, for whatever reason, will the serial generated by my hard drive be the same
  and therefore allow me to use the seed file my company supplied me, that is dedicated to the serial number.   For example, restoring from a system image.  
  I have no idea if any users would know this outside of EMC (company behind RSA)  but, even my IT dept. in my company don't know!
  And I don't want to ''test'' this scenario out, for the fear I won't be able to work!
  Any help from IT pros/power users would be fantastic. 
  Cheers!

  The problem could be with your Secure ID RSA server.

• No mapping for Identity User Name in WS Security X.509 token profile

  Hi,
  I am trying to do interoperability tests with Apache WSS4J and Aqualogic ESB for X509 certificates.
  I wrote the client and server in the Axis and WSS4J framework. It is worknig fine.
  When I developed the proxy servcies in Aqualogic ESB with the configuration like Proxy Service Provider, Adding WS Policy statements in WSDL, keystore configuration, Credential mapping providers etc.., I am gettnig the following error always.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soa
  penv:Header/><soapenv:Body><soapenv:Fault xmlns:wsse="http://docs.oasis-open.org
  /wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:FailedA
  uthentication</faultcode><faultstring>Failed to derive subject from token.javax.
  security.auth.login.LoginException: [Security:090377]Identity Assertion Failed,
  weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Asse
  rtion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090245
  ]No mapping for Identity User Name</faultstring></soapenv:Fault></soapenv:Body><
  /soapenv:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Failed to derive subject from token.javax.security.auth.login.LoginException: [Security:090377]Identity Assertion F
  ailed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identi
  ty Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security
  :090245]No mapping for Identity User Name
  I am using X509 certificates for the digital singature only. I am not using SSL in the demo..
  Could anyone help me in this regard since i am structup here for the last one week?
  Regards,
  Pandu

  Hi,
  i have a question about setting up the OC4J server to
  check against a cert revocation list (CRL) when:
  1. SSL in standalone OC4J (no oracle http server)Probably not supported.
  2. ws-security x.509 token profile (authenticate user by cert)OC4J + WS_SECURITY doesn't support CRL-s, sorry.
  Hubert M.

• [HELP] CRL in standalone OC4J SSL and ws-security x.509 token profile?

  Dear all,
  i have a question about setting up the OC4J server to check against a cert revocation list (CRL) when:
  1. SSL in standalone OC4J (no oracle http server) (i.e. using secured-web-site.xml)
  2. ws-security x.509 token profile (authenticate user by cert)
  ***i can create a crl list, but i don't know how can i import this list into the keystore
  ***and setup the system to validate cert against the crl.
  i can't find the information in oracle's manual/documentation.
  could anyone give me the solution under the 2 situations??
  thank you.
  lsp
  Message was edited by:
  lsp

  Hi,
  i have a question about setting up the OC4J server to
  check against a cert revocation list (CRL) when:
  1. SSL in standalone OC4J (no oracle http server)Probably not supported.
  2. ws-security x.509 token profile (authenticate user by cert)OC4J + WS_SECURITY doesn't support CRL-s, sorry.
  Hubert M.

• AP 1200 and RSA Secure ID

  I know a RSA secure ID radius server be used to authenticate to the 1200 access point, and we have to use PEAP. I want to know how does that work... is there a separate pop-up to authenticate to the wep and then the login to the active directory?
  Can someone link me to a CCO document which gives me a good reading on the topic?

  You might want to check out:
  http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_WLAN_PEAP_ACE5.pdf

• Reset RSA Secure ID pin using API

  hi
  I need to reset the RSA secure ID pin for a user using the OIM API's. Has anyone worked on the same , if so, please guide me on this.
  Thanks,
  Anuj.

  Patrick,
  We have a 3rd party API to integrate 9iAS components (including Portal) with other authentication servers. For 9iAS R2, it's described in the SSO admin guide http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/manage.902/a96115/tpsso.htm#1005152
  (and the same API also exists for 9iAS 1.0/Portal 3.0).
  I've heard of folks using this API to integrate custom SSO servers, biometric systems, RADIUS servers, etc.. I am curious if anyone out there has used the API with SecureID.
  -Lee

• Problems with 802.1x,ACS and Windows Server 2000

  Hi,
  My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
  Laptop with Windows XP SP2 (802.1x Client)
  I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
  Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
  I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
  Does anyone have any idea what the problem is?
  Here is the Config of the Catalyst 2950 if that will help:
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname ACS-Client1
  aaa new-model
  aaa authentication dot1x default group radius
  enable secret xxxx
  username xxxx privilege xxx password xxx
  ip subnet-zero
  ip ssh time-out 120
  ip ssh authentication-retries 3
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  dot1x system-auth-control
  interface FastEthernet0/13
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 3
  dot1x timeout reauth-period 1
  dot1x reauthentication
  interface GigabitEthernet0/2
  interface Vlan1
  ip address 10.10.3.253 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.3.254
  ip http server
  radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key radius
  line con 0
  password xxx
  line vty 0 4
  password xxx
  line vty 5 15
  password xxx
  end

  Yes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
  The config of the switch is ok, we set the reauth-period and quiet-period to default.
  Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
  Attention, we used the AEGIS Client not the XP Client!

• ACS 4.2 RDBMS Action 105/108 - How to set to something other than default "RADIUS Token Server"

  I'm trying to create an import script for RDBMS to import users, but cannot figure out how to set the "PASS_TYPE_RADIUS_TOKEN" to something other than the default of "RADIUS Token Server".  We have multiple RADIUS Token Server definitions.
  I can create a user with what I need, except external db password is set to "RADIUS Token Server".  How do I set it to (for example) something like "RADIUS Token Server - xxxx"
  We have more than 1 RADIUS Token Server definition called "RADIUS Token Server - xxxx", "RADIUS Token Server - yyyy". 
  Thanks!

  As per my knowledge you have to update 4.2 ACS to
  5.1, because when you go for RDBMS synchronization it wont allow you, I have faced problem in past while primary ACS was 4.1 and secondary I have 4.2, I have updated primary ACS to 4.2 and everything is working fine.

• Unsucessful ACS to RADIUS token server exchange

  Hello team:
  We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
  When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
  In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
  (1) Framed-IP = 255.255.255.255
  (2) Class = 0x434143533a302f356662622f37663030303030312f31383133
  We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
  So we are missing something.
  ¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
  thank you very much in advance
  Rogelio Alvez
  Argentina

  Thanks for the interest Tarik!
  Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
  ACS Debug from a terminal monitor
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
  2w1d: AAA/AUTHEN (4096347873): status = GETUSER
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: RADIUS: ustruct sharecount=1
  2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
  2w1d:         Attribute 4 6 C0A800CB
  2w1d:         Attribute 5 6 00000007
  2w1d:         Attribute 61 6 00000005
  2w1d:         Attribute 1 15 63616D61
  2w1d:         Attribute 31 15 3139322E
  2w1d:         Attribute 2 18 893A4B64
  2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
  2w1d:         Attribute 18 12 52656A65
  2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
  2w1d: AAA/AUTHEN (4096347873): status = FAIL
  2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
  2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
  2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
  2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
  2w1d: AAA/AUTHEN/START (2072451976): found list pepe
  2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
  2w1d: AAA/AUTHEN (2072451976): status = GETUSER
  Freeradius Debug
  rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
      User-Name = "camara/829113"
      NAS-IP-Address = 192.168.0.3
      NAS-Port = 6372
      NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
      User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
  # Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
  +- entering group authorize {...}
  ++[preprocess] returns ok
  [auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
  ++[auth_log] returns ok
  [IPASS] Looking up realm "camara" for User-Name = "camara/829113"
  [IPASS] Found realm "DEFAULT"
  [IPASS] Adding Stripped-User-Name = "829113"
  [IPASS] Adding Realm = "DEFAULT"
  [IPASS] Authentication realm is LOCAL.
  ++[IPASS] returns ok
  [suffix] Request already proxied.  Ignoring.
  ++[suffix] returns ok
  ++[files] returns noop
  ++[control] returns noop
  rlm_perl: Response: 201: Succeeded
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
  ++[expiration] returns noop
  ++[logintime] returns noop
  Found Auth-Type = Perl
  # Executing group from file /etc/freeradius/sites-enabled/vuserver
  +- entering group Perl {...}
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
    WARNING: Empty post-auth section.  Using default return values.
  # Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
  Sending Access-Accept of id 23 to 192.168.0.3 port 3912
      Framed-IP-Address = 255.255.255.255
      Class = 0x434143533a302f3265662f37663030303030312f31383133
  Finished request 3.
  Going to the next request
  Waking up in 4.9 seconds.
  Cleaning up request 3 ID 23 with timestamp +575
  Ready to process requests.
  Inside the file archive.zip you`ll find
  cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
  captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
  If you need more information or output please let me know.
  Rogelio

• How to configure AD and Token server (over radius) authentication

  Dear forum,
  I have a scenario where users should be allowed network access after their have given their AD credentials and a token (Blackshield Token server).
  The token server speaks over radius to the cisco ACS appliance. I have managed to get users authenticated by means of their AD credentials. I am how ever not able to use both means in order to have a successfull authentication.
  Does anyone have a configuration example for this scenario? Any help would be greatly appreciated.
  Thanks!!!

  Hi,
  I have had two deployments using this form of authentication.
  Just so we are on the same page, the token servers that I have integrated connect to an Active Directory server running NPS (MS radius), then the user will have to send their password+token and the token software will check the account password, and then the token to see if the users succeeds.
  Let me know if that is the design of your software. If it is, then all you need to do is configure the token software to run on radius and then set the policies up from there. From the network device standpoint it just needs to point to the radius server.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cannot open page Safari cannot open the page because it could not establish a secure connection to the server

  Hello Apple Experts!!
  I Am Surendra and very new to this forum.. I just came across a problem with my Iphone while connecting to my company WIFI.. we are using Web authentication.. meaning..
  The user will try to connect to the wireless network, the client will get the IP address and they are forced to open up the browser to provide the USERNAME and the PASSWORD on the webpage, once they pass the auth they will be able to access to the internet.
  The WEB PAGE that asks for the USERNAME and the PASSWORD is HTTPS and for some reason that page is not at all opening and i am getting the below error.. If i disable HTTPS on the cisco Device the IPHONE works great..
  Cannot open page Safari cannot open the page because it could not establish a secure connection to the server
  This is happening only on the OS 5 and on the OS 4 everything works just great!!
  I have a feeling that this has to do something to do with HTTPS / SSL connection with the IPHONE SAFARI or OS 5
  Am connecting to Cisco Wireless LAN COntroller and the access point acting as the WIFI devices..
  Any help on the same will be much appreciated!!
  Regards
  Surendra

  I'm having a similar issue.  Connecting on my iPad FROM ANYWHERE to my work's domain results in the message by the OP.
  I checked the ciphers enabled by their page, and this was returned:
    High Strength Ciphers (>= 112-bit key)
      SSLv3
        EDH-RSA-DES-CBC3-SHA       Kx=DH         Au=RSA     Enc=3DES(168)    Mac=SHA1  
        DES-CBC3-SHA               Kx=RSA        Au=RSA     Enc=3DES(168)    Mac=SHA1  
        RC4-MD5                    Kx=RSA        Au=RSA     Enc=RC4(128)     Mac=MD5   
        RC4-SHA                    Kx=RSA        Au=RSA     Enc=RC4(128)     Mac=SHA1  
      TLSv1
        EDH-RSA-DES-CBC3-SHA       Kx=DH         Au=RSA     Enc=3DES(168)    Mac=SHA1  
        DHE-RSA-AES128-SHA         Kx=DH         Au=RSA     Enc=AES(128)     Mac=SHA1  
        DHE-RSA-AES256-SHA         Kx=DH         Au=RSA     Enc=AES(256)     Mac=SHA1  
        n/a                        Kx=DH         Au=RSA     Enc=Camellia(128)  Mac=SHA1  
        n/a                        Kx=DH         Au=RSA     Enc=Camellia(256)  Mac=SHA1  
        DES-CBC3-SHA               Kx=RSA        Au=RSA     Enc=3DES(168)    Mac=SHA1  
        AES128-SHA                 Kx=RSA        Au=RSA     Enc=AES(128)     Mac=SHA1  
        AES256-SHA                 Kx=RSA        Au=RSA     Enc=AES(256)     Mac=SHA1  
        n/a                        Kx=RSA        Au=RSA     Enc=Camellia(128)  Mac=SHA1  
        n/a                        Kx=RSA        Au=RSA     Enc=Camellia(256)  Mac=SHA1  
        RC4-MD5                    Kx=RSA        Au=RSA     Enc=RC4(128)     Mac=MD5   
        RC4-SHA                    Kx=RSA        Au=RSA     Enc=RC4(128)     Mac=SHA1  
  This appeared to be a more than sufficient cipher list, yet my iPad won't load any page.  I highly doubt it's a problem with SSL2 not being enabled because SSL2 has been deprecated for awhile now.
  Any ideas?