ACS 4.0 and RSA Token Server problem

Hi,
We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
Any help or advice appreciated.
Thanks

Hi,
The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
Following link talks about the same.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
Regards,
~JG

Similar Messages

  • ACS5.2 with Radius to RSA token server

    I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

    It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

  • LEAP, ACS and RSA token Card

    Hello,
    Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
    Best Regards,

    You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
    I have it working with limited functionality

  • ISE and RSA token groups

    We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
    Axxxx, the other Bxxxx.
    Now we try to differ the authentications for the two group. One permit, the other deny.
    I am wondering whether the ISE can do this or not.
    thanks,
    Han

    ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

  • Creative cloud is working but the webpage cannot find the files and returns a SERVER PROBLEM

    What is wrong since the latest updates of Creative Cloud ??
    The upload is working fine but the Webpage is mostly not reachable and returns a SERVER error.

    I always use the app on my iMac, since more then one year.  The Creative Cloud is then Syncing my files.
    After that I can distribute by making a public link, but since the updates, I can see my folders on the web, but if I enter a folder, then comes a SERVER error.
    In my synced folder on the iMac, the files are marked with the green v whats means, the file is synced withe the cloud.
    Our system is not overloaded, I hev tested it with other dropbox and other cloud sites.

  • Safari 3.x (Leopard) and Web Proxy Server Problems:

    I have a Squid proxy server running on Linux. Users web traffic is directed through it via WPAD server which hosts a simple PAC file. The PAC files is very clean and small. It basically points all external (Internet) web traffic to our Proxy server. All of our Windows, Linux and Tiger clients work fine. However, Leopard (Safari 3.x) doesn't work quite right. Here's what happens:
    Mac user logs into a Leopard 10.5 Mac. User launches Safari and tries to go to an external (Internet) site. The WPAD server is contacted and the Mac User is prompted to authenticate to the Proxy server. This is totally normal behavior thus far. Then, however, every few minutes the Leopard Mac user will be prompted to authenticate again (sometimes 2 or 3 times in a row!). Firefox 2.0.x, when configured to use the WPAD/PAC server and Proxy server, works fine in Leopard. Only Safari 3 in Leopard is having the problem.
    All the Macs (Tiger and Leopard) are configured to use the Proxy server via OS X's Network Pref Pane (using the "Automatic Proxy Configuaration"). Reminder: Tiger works fine (even with the Safari betas), but Leopard's doesnt not.
    I have attached our PAC file inline below (some things edited for privacy):
    // SIMR automatic configuration for Mozilla and friends
    // $Id: wpad.dat,v 1.8 2005/12/14 20:18:23 dct Exp $
    // Edit carefully, since many may be relying on this...
    function FindProxyForURL(url, host) {
    // Bypass the proxy for internal addresses
    if (!url.match("http:")
    || url.match("http://127.0.")
    || url.match("http://10.")
    || url.match("http://192.168.")
    || isPlainHostName(host)
    return "DIRECT";
    // These are exceptions given in the IE config for Windows.
    if (host == "www.ncbi.nlm.nih.gov"
    || host == "chabry.caltech.edu"
    || host == "flybase.bio.indiana.edu"
    || host == "www.fedex.com"
    || host == "domain.org"
    return "DIRECT";
    return "PROXY <proxy server>:8080";
    }

    I think I have a similar problem. I am a Mac connecting to an otherwise all PC school network.
    A new location with all correct proxies has been set up. However, Safari always crashes on first attempt to negotiate its way through our server to the internet. Internet explorer gets through because in its preferences it is possible to include the name of the school domain as well as my user name and password.
    We have been unable to find any way of including the domain name into Location in Network or into Safari.
    However, once Internet Explorer has negotiated with the server I can launch Safari and it works as normal.
    Safari/Network seems to lack this option of including a domain name that my PC server requires.
    Make sense to anyone?
    Worth mentioning that my copy of Internet Explorer (5.2) often crashes, but usually it has done its job by then. I quite like the concept of Internet Explorer sacrificing itself to clear a path for Safari.

  • Netbeans and Windows 2000 Server Problems

    I've tried to run netbeans on my windows 2000 server OS a few times. It usually doesn't work out and I have to go back to pcGrasp.
    Does anyone out there know of any issues between netbeans and this OS. Is it worth it. I'd like to move away from the .net world and learn j2EE but I'd like to move up my IDE. Netbeans seems like the best choice. Does any experienced individuals out there know of a better one?
    This was my latest error with netbeans. From just opening a folder??? I also tried to report it - I still have to wait another hour after I registered before I could HOPEFULLY find where exactly I can report it. Maybe thats why there are so many bugs. They make it impossible to report something they tell you to report to help out.
    A java.lang.reflect.InvocationTargetException exception has occurred.
    Please report this at http://www.netbeans.org/issues.html,
    including a copy of your ide.log file as an attachment.
    The ide.log file is located in your C:\Documents and Settings\Administrator\.netbeans\3.6\system folder.
    Thanks for anything
    -Wiley

    I use Windows 2000 Professional and have not problems.
    I would suggest,
    - ensure you have all windows updates.
    - ensure you have JDK 1.4.2_04
    - try eclipse which is also free (From IBM) http://www.eclipse.org/

  • Cisco MDS 9509 and HP Blade server problem

    I have a big problem , when i connected to MDS 9509 to HP VC-FC 8GB the module in MDS 9509 did not detect the HP module . I think this will be because MDS 9509 uses VSAN technology , but HP blade is not support this feature. Please help me

    I am fairly certain that the HP blade chassis has HP branded Brocade FC switches. These switches need to be placed into AG mode and rebooted. On the Cisco MDS core the NPIV feature must be enabled.
    Here is more info on the Brocade AG mode -
    http://www.brocade.com/solutions-technology/technology/platforms/fabric-os/access_gateway.page
    http://www.brocade.com/downloads/documents/data_sheets/product_data_sheets/AccessGateway_DS_02.pdf
    Cisco NPIV info
    http://www.cisco.com/en/US/prod/collateral/ps4159/ps6409/ps5989/ps9898/white_paper_c11-459263.html

  • Mail and Microsoft exchange server problems

    My company is moving to Microsoft exchange servers now, and for some reason, Mail cannot work.
    There are several settings that are possible to set in Thunderbird, but that are not even options in Mail. These are settings such as "TLS".
    Is there any way to make the same settings in mail that are possible in Thunderbird?

    Hi Budgie
    I can confirm that provided your administrator configures the Exchange server for IMAP (Mail uses IMAP to connect) that yes, Mail can be used effectively with Exchange and messages will remain on the server; though the set up can be misleading.
    For me at least, when you get to Outgoing Server Settings, the set-up panel does not allow you to enter an authentication type, and entering my user name and password will get the following response:
    The SMTP server “xxxxx.xxxxxxxxxxxxxxxxxxx.com:username” is not responding. Check your network connection and that you entered the correct information in the “Outgoing Mail Server” field. If it still doesn’t respond, the server might be temporarily unavailable.
    If you continue, you may not be able to send any mail.
    When I click continue, the authentication panel comes up, and by changing authentication to NTLM and entering the Domain name - everything works perfectly!
    The only other nuisance is that Mail looks at the Exchange Calendar and Personal Folders/Contacts folders as mail folders, but cannot display the contents in the way Outlook or Entourage does, and I have not found a way of eliminating them from the folder list.
    I hope this helps.

  • Dot1x/ACS3.0/RSA ACE server 5.0

    Hi,
    I tried to configure dot1x (cat6500) with ACS 3.0 and RSA ACE server. In the first step when I configured static password in ACS everything was OK, but when I changed to the external user database I got an error: "Auth type not supported by External DB"
    Does anyone know why?
    Thanks,

    The dot1x supplicant on the PC will use Extensible Authentication Protocol (EAP) authentication to send the username/password. This authentication method cannot be used with an external RSA database, RSA has to use PAP authentication which sends the password in the clear (which is OK because it's a one-time password).
    See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794 for details on the external DB's and password protocols. Notice how all the one-time password databases can only use PAP.

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • 802.1x ACS RSA Secure ID/Safeword Token server

    Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
    We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
    We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
    A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
    The failed attempts log show "External DB Auth Failed"
    Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
    Cisco RDS log attached.

    The problem could be with your Secure ID RSA server.

  • ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

    Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
    I have come up with bunch of incompatibilities between the offered support e.g.
    1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
    2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
    We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
    I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

    Hi,
    We have tried to do the exact same setup as you and we also failed.
    When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
    MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
    When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
    A list with EAP protocols supported by the RSA is in attach.
    Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
    table "EAP Authentication Protocol and User Database Compatibility "
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
    What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

  • ACS appliance -- AD -- RSA Securid Server

    I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.
    Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.
    But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.
    Here's more info:
    In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.
    In ACS appliance, remote agent was already pointed to AD.
    No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.
    How can I manage to configure RSA SecurID Token Server in my ACS appliance?

    Hello,
    The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml
    I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.
    ACS with ACE however works, though there were some nasty problems to be solved on the way to success.
    One thing to point out straight away also mentioned in the document mabove:
    Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:
    CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.
    This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:
    username: xxxx
    password: xxxx
    Password Authentication Protocol (PAP) is a better choice here.
    This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • RSA tokens and AAA

    I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....

    Very simple:
    1- install RSA Server on host A,
    2- install ACS server on host B,
    3- create an agent host on host A with host B
    ip address,
    4- copy the sdconf.rec file over to %Windows\system32 directory of host B,
    5- install RSA agent software on host B,
    6- create RSA user in host A,
    7- use the RSA test utility on host B to test
    authentication from host B over to host A,
    8, configure ACS to use RSA SecurID. Read
    the instruction on cisco web site, in the
    External database,
    9- run log monitor on host A RSA server,
    10- try to log into a router,
    11- enter the username create in step 6,
    you should see that you will be able to
    authenticate with RSA securID and ACS
    integration.
    Last but not least, if you use TACACS, you
    will NOT be able to use Next-PIN mode on
    RSA Server. Next-PIN mode only works with
    Radius.
    Easy right?

Maybe you are looking for