ACS 4.2 with multiple RSA secure ID token servers

Hi all,
I have a question which I couldn't find an answer to so far.  Below is a very brief explaination of what I have and what I need to do.
What I have:
1- An ACS 4.2 server installed on win 2003 with RSA agent installed.
2- A RSA Secure ID Token Authentication manger 7.1
The problem:
Due to lost RSA master password I am unable to back the DB up and upgrade RSA AM 7.1 to 7.1 SP4.
So far all the solution I have found and been told to do by RSA support have not enabled me to recover the lost password.
What I want to do:
I want to install a fresh copy of RSA AM 7.1 SP4 on Win 2008 R2
Since I can't make a DB backup from the running RSA, once I install the fresh copy I will migrate users one by one
My question:
This is a very busy production environment and users can't tolorate down time at all.
I need to keep everything running, I need to know if it is possible to have 2 RSA data sotres setup within ACS 4.2 or not?
And if so, will migrated users to the new RSA installation be still able to authenticate or not?
Can ACS send multiple authentication request simultaneously or not? And what happenes if a user is present in both instances of RSA, old and new?
Thanks,
Khash

I have this setup and working. Set up an external database connection on the ACS for a RADIUS server (not RSA) and setup your RSA server with the RADIUS shared secret. Check IP connectivity between both,and make sure that the RSA server is the first database to be queried. Here you are just using Radius to pass through the auth from the ACS to the RSA server.

Similar Messages

  • Multiple OUs with GPOs - One OU with multiple GPOs and security - One OU with one GPO and item level targeting

    Background...
    We have around 30 locations and we need to deliver different GPOs to these locations.
    There can be between 3 and 8 PCs in each location.
    These PCs can move around at short notice (mainly as a backup with neighbouring locations should
    PCs fail)
    The GPOs differ to change printers (2 per location and 2 backup printers from neighbouring location), auto login, desktop wallpaper
    Which is in your opinion the best solution for login speed, GPO & device management?
    1) Multiple OUs with a single GPO in each OU, the devices can be moved into new OU when the PCs move
    2) Single OU with multiple GPOs, add devices to security group and use security filtering on the GPOs
    3) Single OU with single GPO, add devices to security group and use item level targeting on the group

    > 1) Multiple OUs with a single GPO in each OU, the devices can be moved
    > into new OU when the PCs move
    > 2) Single OU with multiple GPOs, add devices to security group and use
    > security filtering on the GPOs
    > 3) Single OU with single GPO, add devices to security group and use item
    > level targeting on the group
    4) GPMC, Sites, "show sites". Then link appropriate GPOs to each
    individual site.
    That's the way to go here...
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • How to set WPA and WPA2 security with multiple AEs

    Hi Everybody,
    I have purchased a second AE and with the help of Alan Summers was able to set them all up for multiple speakers use in iTunes. In order to make them run I had to downgrade security settings to 40-bit WEP which is not really satisfying. My Airport Admin. Utility was still 4.0, so I tried 4.2 which offers the use of WPA and WPA2 with multiple AEs. Upgraded to 4.2 and switched off security settings first. Both AE are recogniced and speakers of second AE also show up in iTunes but I cannot connect to them. Since it didn't work without security settings, I didn't even try with it and went back using 4.0. All other firmware is up-to-date:
    AirPort Express 6.3
    iTunes 6.0.2
    Intel(R) PRO/Wireless 2200BG Network Connection 9.0.3.0
    Any advice would deeply be appreciated!
    BTW - if it works, it's maybe the greatest sound experience I ever had. Music all over the place!!
    Best regards
    Roman

    Found it!!
    1) upgrade Airport Admin. Utility to 4.2
    2) set second AE as "remote base station" and not in "client mode" (that's the clue!!)
    3) follow instructions and type in MAC address of main base station
    4) choose a channel (doesn't matter which one, just has to be the same on both AEs)
    5) choose your personal WPA and WPA2 password (same on both AEs)
    6) restart both AEs
    7) enjoy the music all over the place!
    Best regards
    Roman

  • Security  issue when mi server interacts with multiple backend.

    hii all,
    i wanted to know that if suppose mi server is interacting with multiple backend then how to maintain application access
    security for differnt back end and how & where to customize or configure it.
    thanks in advance.

    Hi Dev,
    Every syncBo has a RFC destination which represent the target system (backend) on which the bapi wrappers for that particular syncBo resides. This RFC destination  is configured in the transaction SM59, which provides you with various secuirty configurations.
    For more info consult your basis consultant in this regards.
    Regards,
    Rahul
    If this helps, do not forget my points

  • Will the antispyware that downloaded with the Firefox upgrade interfere with my CA security suite? I've been told not to intstall multiple security programs.

    Will the antispyware that was downloaded with the Firefox upgrade interfere with my CA security program? I've been told not to install multiple security programs?

    Alternatively, though we're not sure how it got on your system, if you don't want it installed you should be able to remove it via Add/Remove programs in your Windows XP Control Panel.
    From the Microsoft documentation for XP, located here...
    http://support.microsoft.com/kb/307895
    How to remove an installed program
    To remove a program that is installed on your computer, follow these steps:
    1. Click Start, click Control Panel, and then double-click Add or Remove Programs.
    2. In the Currently installed programs box, click the program that you want to remove, and then click Remove.
    3. If you are prompted to confirm the removal of the program, click Yes.
    Some additional observations...
    You seem to be running Firefox 3.0, for which security support ended in March of 2010. You may wish to update your Firefox to the newer Firefox 3.6 in order to continue to receive security updates. I believe simply pressing Help in the menu bar of Firefox, and then "Check for Updates" will accomplish this.
    Lastly, your Adobe Flash player for Firefox is out of date, and contains a security vulnerability. It can be updated by following the below link and clicking Agree And Install Now and then running the downloaded file.
    http://get.adobe.com/flashplayer/

  • Failure when FWSM in transparent mode with multiple contexts

    hi experts,
                We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
                Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
    thanks in advance.

    The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

  • TS4020 I live in a house with multiple iCloud users.  When they try to turn on "Find my computer"  they get the message that they will have to disable my "find my computer" setting in order to enable theirs.  How can they all be enabled at the same time?

    I live in a house with multiple iCloud users.  When they try to turn on "Find my computer"  they get the message that they will have to disable my "find my computer" setting in order to enable theirs.  How can they all be enabled at the same time?

    Try this support document for information on how to contact Apple and account security. Apple ID: Contacting Apple for help with Apple ID account security

  • HT5361 Why is that when I am composing a new message do I end up with multiple versions of my message I am composing up in my Google Trash mailbox?  How can I stop this from happening?

    Why is that when I am composing a new message do I end up with multiple versions of my message I am composing up in my Google Trash mailbox?  How can I stop this from happening?

    It was very hard to see what the box says because the message displays for less than one second. However, I was able to record it with my iphone and pause it until I got a shot of the message. The box says the following:
    "Do you want the application “java” to accept incoming network connections?
    Clicking deny may limit the application’s behavior. This setting can be changed in the Firewall pane of Security preferences."
    I did make some changes. I will see if it works.
    Thank you!!!

  • Programming multiple smart cards with multiple smart card readers in a PC causes a PCSCException in a smart card that is in progress

    Hi,
    I develop a Java code using smartcardio API to program a smart card. My GUI allows to add at most 5 smart card readers that will wait for card present, then do authentication and program the smart card with an application, then wait for card removal. This is a separate thread running in a loop for each smart card reader added as programmer.
    The problem occurs when a certain smart card is in progress and I inserted another smart card to another smart card reader.  Both smart card reader halts and throw sun.security.smartcardio.PCSCException: Unknown error 0x8010002f.
    I also observed that every time there is an attempt to insert/remove a smart card in the smart card reader that is connected to the USB port would cause the programming in progress to be interrupted and throw the PCSCException.
    These are some exceptions I got during my testing:
    sun.security.smartcardio.PCSCException: Unknown error 0x8010002f
      at sun.security.smartcardio.PCSC.SCardTransmit(Native Method)
      at sun.security.smartcardio.ChannelImpl.doTransmit(ChannelImpl.java:171)
    java.lang.Exception: Loader Record Failed: 6E | 0 //Sometimes I got this return code SW1 0x6E SW2 0x00 which means an APDU with an invalid 'CLA' bytes was received. I had check the command before it was sent and it was correct.
    Help me understand this issue. I think the CardTerminal.isCardPresent(), CardTerminal.waitForCardPresent(0), and CardTerminal.waitForCardAbsent(0) cause this issue that CardChannel.transmit(apduCommand) is interrupted or the smart card insertion/removal causes the CardChannel.transmit(apduCommand) is interrupted.
    Regards,
    Knivez

    Hi,
    when you work with one smartcard reader only usually you address the slot -1 that means "the first found".
    But to deal with multiple readers you have to use slots of course since one reader will be slot 0, next reader will be slot 1 and so on...
    So a credential object will be identified on a system by a couple
    <slot,alias>
    After that, the way to address slots (I mean the syntax) depends on the classes you are using...
    Bye

  • I have a page with multiple quicktime players on it, and want to close all other players when any of the players is started.

    I have a page with multiple quicktime players on it, and want to close all other players when any of the players is started.
    <div id="mp3-player" style="display:none;height:15px !important;float:left;margin:0px 0 15px 0px; width:270px !important;">
                           <div style="height:15px !important;width:270px !important;">
                               <embed src='http://209.15.205.3/~cityval2/MP3/352681.mp3' width="270px" height="15px" AUTOPLAY=false CONTROLLER=true LOOP=false PLUGINSPAGE="http://www.apple.com/quicktime/" />
                            </div>
                        </div>

    One key point.
    1. Migration within  the same forest ; we can say operation is cut & paste (Source account wil be not present)
    2. Migration between the forest ; we can say operation is copy  & paste ( Source account will be present)
    Also find some ADMT cool stuffs.
    ADMT Series – 1. Preparing Active Directory
    ADMT Series – 2. Preparing the ADMT Machine
    ADMT Series – 3. SID History
    ADMT Series – 4. Password Export Server
    ADMT Series – 5. Machine Preparation
    ADMT Series – 6. Service Account Migration Wizard
    ADMT Series – 7. Group Account Migration Wizard
    ADMT Series – 8. User Account Migration Wizard
    ADMT Series – 9. Merging Users with a Different sAMAccountName
    ADMT Series – 10. Security Translation Wizard – Local Profiles
    ADMT Series – 11. Computer Migration Wizard
    Regards,
    Biswajit
    MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
    Blog:
      Script Gallary:
    LinkedIn:
    Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..

  • Forgot-Your-Password process with multiple realms

    We’re running OAS 10.2.0.2 and we’re considering adding a second identity management realm in order to have, among other things, a different set of password reset validation fields for one group of portal users versus another group.
    With two realms in place and OID/SSO configured so that all users from both realms use a common login mechanism, and, presumably, one forgot-your-password mechanism, will the password rest validation fields that are enforced for a given user automatically be based on the realm of which they are a member?
    More specifically, will all users from both realms be able to use one common URL to access the OIDDAS forgot-your-password wizard? If so, I’m assuming that when the user enters their username in that wizard, they are then searched against their realm and the policies of that realm then come into play for the rest of the wizard, right?
    In other words, with two realms, is this scenario possible without any custom programming:
    We have a link to the OIDDAS forgot-your-password link on our existing portal login.jsp page. User A clicks that link and is taken to the OIDDAS forgot-your-password wizard. First he is asked for his username, which he supplies. Then, to verify his identity, he is asked for his Social Security Number, which he supplies, after which he is able to set a new password.
    User B, who is in a different realm, clicks the same forgot-your-password link on our login page. After supplying his username, he is asked for his employee I.D. number, which has been configured as the password reset validator in his realm. After supplying that number, he is able to change his password.
    --Steve Huntress                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

    Hi Steve!
    AFAIK each OID realm has its own set of policies.
    This would mean that your setup should work. I guess the only difficult thing would be that a user must somehow be uniquely identifiable. When you login into OID with multiple realms you need to supply the realm - or have a unique ID (eg email address) and OID must be setup to search from the top.
    In order to get to the right forget your pwd wizard you need the realm.
    cu
    Andreas

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • PDF with a certificate security.

    I am trying to secure mutiple PDF documents with a certiciate security. If I am understanding the certificate security feature correctly, I'd like to add multiple emails to these documents so that only the recipients listed in the email certificate security can open the file. I'd like to add the email list all at one time, rather than what appears to be an "add one at a time" method. Any help? And am I understanding the certificate security feature correctly?
    Ken

    Hi George,
    Thanks for a quick response.
    1, create PDF,
    2, exchange Digital ID
    3, encrypt PDF
    4, send the file to recipients
    Correct?
    But I am missing something between or details. I don't know where I am doing wrong..
    When I send the encrypted file, some can open and some people can not. Or print is still allowed and file was not completely secured.
    From the point of creating Digital ID, I would like to know how everyone does it in detail.
    Thank you.

  • Integration problem between Cisco Seure ACS 4.2 with LDAP

    Hi expert,
    I have a problem with the integration between Cisco Secure ACS 4.2 with SUN Java System Directory (LDAP). During the integration, I noticed that user failed to authenticate against LDAP via Cisco Secure ACS. The error message is "Authentication Type is not supported by external DB". In this case the "external DB" refer to LDAP. Anyone of you having an experience on integration on both product before? Can any of you give me some pointers about this. Attached are both screen capture on my ACS server.
    Thanks very much,
    Daniel

    Hi,
    Thanks for the compatibility chart. Oh dear ..., it seems that the LDAP does not supports PEAP (EAP-MS CHAPv2) at all. Am not sure if the latest LDAP (particularly for SUN Java System Directory) able to support this authentication protocol.
    Just to clarify with you all just in case if you wonder what I'm trying to do; our company wants to implement 802.1x over the network. So, every staff on the network must authenticated before able to access the network resources. Our Linksys switches supports this standard including Cisco switches of course. Our RADIUS server is Cisco Secure ACS 4.2 but all those users information including username and passwords are stored in our directory server (LDAP) which is SUN Java System Directory.
    Since most of our staff machines are running on XP and Vista, the only available authentication method (beside certificate based) is PEAP (EAP-MSCHAPv2). Based on the compatibility chart, the generic LDAP does not supports this authentication protocol as what we noted the "authentication type not supported by external database" error message in the ACS logs.
    From what I learned that the latest LDAP (version 3.0?) able to support this authentication protocol, but yet to be confirmed on my further research.
    So... Anyone can advice me on this matter? Thanks very much !

  • Integrating BIP with multiple LDAP servers

    Hi,
    my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
    Is it possible configure BIP with multiple LDAP servers?
    Thanks
    Giancarlo
    P.S. I'm using OBIEE 10g

    Hi,
    my question is very simple. In Admin->Security Configuration->Security Model section i've setted Security model combobox with LDAP value. Then i've filled all LDAP information field (for example:URL). All works. But in my rpd i 've multiple LDAP servers (multiple URL) and in the form i can insert information about only one LDAP server.
    Is it possible configure BIP with multiple LDAP servers?
    Thanks
    Giancarlo
    P.S. I'm using OBIEE 10g

Maybe you are looking for

  • One library, Multiple Windows Accounts. Help Please!

    I have two windows user accounts on one computer. Each user has a separate ipod. I want to keep all music files in one place if possible. Currently all music is in iTunes music folder located in shared files. Each user has their own iTunes folder, iT

  • How to find out how much space apps are taking

    i don't know when this happened but i'm using about 85gb of my 250gb hard drive, when it used to be around 50gb. so i was wondering why when i look at itunes music it shows how much space it's taking the bottom, but if i go to the app section of itun

  • Apple TV (2G) and Music Videos?

    Anyone able to confirm if Music Videos show up/work on the Apple TV? Almost all of my purchases have been music videos - I figured they'd support them.. why not? But looking at all the screenshots, there is no "Music Video" category to be found. Exam

  • How do I transfer files I created during free trial to paid subscription?

    I created several documents in FormsCentral using the free trial and now I just upgraded to the monthly paid subscription. When I go back into FormsCentral and try to add features to the documents that I created during my free trial, it tells me to u

  • Compressor is going to take 19 hrs??

    I know I don't have the best system, but to convert 40 minutes of Apple ProRes 422 for HD on Vimeo is going to take 19 hours? This seems unreal.