ACS and RSA
Not sure if this is the right are but here it goes. I have a ACS server which uses a RSA server to perform authentication. I want to test a 2nd RSA server with the same ACS server but as far as I can tell I can only have one RSA server as an external DB. Is there a way to create 2 seperate RSA servers?
To the best of my knowledge, if you are willing to edit/modify/create a list of users in ACS, each using SDI as an external authentication method, then you can edit/modify the group mappings/membership for each user in the ACS database. HTH
Similar Messages
-
LEAP, ACS and RSA token Card
Hello,
Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
Best Regards,You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
I have it working with limited functionality -
Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server
Hi,
I would be very appreciated if anyone can share their experience. Thanks in advance.
Issue:
I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
Problems encountered:
Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
Questions:
1. Please kindly advise how I should resolve this problem.
2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
Troubleshooting steps I have done:
Below is the steps I took to setup the external DB.
1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
Thank you.I have NO experience with ACS SE 4.2 and
RSA SecurID Token Server BUT I have
experiences with Cisco ACS 4.1 running on
Windows 2003 SP2 Enterprise Edition and
RSA SecurID Token Server.
All the troubleshoot you've done is correct.
In Windows 2003 running Cisco ACS, you can
install the test authentication RSA client
and that you can verify that the setup
is correct (by verifying that the sdconf.rec
is not corrupted).
One thing I can think of is that when you
setup the ACS SE box, under external
database, configure unknown user policy,
did you check it to tell how to define users
when they are not found in the ACS internal
database. Did you select RSA SecurID token
server?
Other than that, from what I understand,
you've done everything correctly. -
ACS with RSA for privilege level 'enable' authentication
Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
Are there any tricks to this?
Thanks in advance!David
Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
HTH
Rick -
We have wireless network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
Axxxx, the other Bxxxx.
Now we try to differ the authentications for the two group. One permit, the other deny.
I am wondering whether the ISE can do this or not.
thanks,
HanISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.
-
ACS and Windows Domain / AD
Hi All,
In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
Apprecaite quick help on this.
-SatishcpUnfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
My guess Remote Agents for Windows / Solaris works with Appliances alone. -
I have installed ACS 5.2 on a machine and I am trying to integrate with that Windows Server 2003 ( Active Directory ) . On the ACS when i do test connection it shows me sucess but when i save the setting it gives me Time error . I kept the clock and timezone of Active Directory and ACS server as same but still it gives me error . I read on one of the blog that it is better to configure NTP on a router and then sync both the devices with same NTP .
Is it necessary to configure NTP or manual config should also work ?I have ran into issues like what you are seeing without using NTP. I would suggest setting up NTP and having ACS and your servers sync to that.
Sent from Cisco Technical Support iPhone App -
MD5 and RSA - Slow performance - Help / Views Required
Hi,
I am facing a problem while signing a message.The
scenario is:
I have to create 20,000 messages to be sent to
clients. I am encrypting the message using MD5 and
RSA.
But when i am encrypting via RSA it takes about 20
mins to encrypt the 20k messages.I dont know why its
taking so much time. I have max 4-5 mins to manipulate
and send messages. The sample code is as follows:
ur earliest help will be quite helpful.
Thanks in advance
Hassan
************** Source Code ****************
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.Signature;
import java.security.PrivateKey;
import java.security.spec.RSAPrivateKeySpec;
import org.apache.log4j.Logger;
public class Signer {
******************************************Hi Sabre,
I have compiled the simple code from JCE tutorial for DES. The output text it is showing is different than input text.
Is there any problem going on in tutorial's example ?
Regards
Hamid
******** output **************
the original cleartext is: [B@13a328f
the encrypted text is: [B@337838
the final cleartext is: [B@119cca4
******** Code ************
public class jCypher {
private static Cipher desCipher = null;
public static void main (String[] args) throws NoSuchAlgorithmException,
InvalidKeyException, IllegalBlockSizeException, NoSuchProviderException,
BadPaddingException, NoSuchPaddingException, Exception
//Creating a Key Generator and Generating a Key
//public static KeyGenerator getInstance(String algorithm);
KeyGenerator keygen = KeyGenerator.getInstance("DES");
SecretKey desKey = keygen.generateKey();
// Creating a Cipher
// Cipher.getInstance(Transformation);
// c1 = Cipher.getInstance("RSA/ECB/PKCS1Padding");
desCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
// Cipher.init(int opmode, Key key);
desCipher.init(Cipher.ENCRYPT_MODE, desKey );
// Cleartext
byte[] cleartext = "This is small Text for testing".getBytes();
System.out.println("the original cleartext is: " + cleartext.toString());
// Encrypt the cleartext
// encrypted or decrypted data in one step (single-part operation)
// public byte[] doFinal(byte[] input);
byte[] ciphertext = desCipher.doFinal(cleartext);
System.out.println("the encrypted text is: " + ciphertext.toString());
// Initialize the same cipher for decryption
desCipher.init(Cipher.DECRYPT_MODE, desKey );
// Decrypt the ciphertext
byte[] cleartext1 = desCipher.doFinal(ciphertext);
System.out.println("the final cleartext is: " + cleartext1.toString());
} // End main()
} -
ACS and Windows 2000 user database communication port
Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
I'm affraid to infect ACS Service.
So, I want to install firewall on this server to block malicious traffic.
However, my ACS used external user database Windows 2000 for authentication.
Who can tell me What protocols or port list they are communication?
I have to avoid these traffic on my firewall.Hi cheng
I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
Best Regards -
Can i configure a network with ACS and ISE?
I have both acs and ise, how do i integrate these appliance to work togheter?
ThanksISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services Engine can work in tandem with Cisco NAC Manager to provide the same profiling service as the NAC Profiler, which has reached end-of-sale status.
Existing Cisco Secure ACS customers using network access can easily migrate to the Cisco Identity Services Engine platform using migration part numbers and tools. However, existing Cisco Secure ACS customers using TACACS functions will not be able to migrate to the current version of ISE for network device identity management which is often acceptable for customers who prefer to keep user and network identity on separate systems. -
Hello all,
I have to test DES and RSA with some Java Card, but I have NO idea with it.
Is there any sample applets or any good site to learn it?
If I can have applet files, that will be great.
Thanks a lot,
Julie.This could be an issue, for example, if there is a card that doesn't implement javacardx.crypto. Creating Cipher myCipher as a member variable would throw an exception if it's not implemented on the card. This ultimatly will prevent it from being loaded.
Take your CAP file and try to load it with the reference implementation and you'll see what I mean. Also, try to compile, and generate a CAP file outside the JCOP IDE environment. You'll see what ticks me off about the Sun kit. It would still generate the CAP file. BUT crypto isn't implemented in the Sun Kit. It should kick out an export not found message.
Discarding objects aren't needed because, if you notice, the JC uses a facade design pattern for the crypto implementations to assure only one instance is created. That's the getInstance() methods. -
Hello,
The purpose is to use a 802.1X authentication with ACS server, AD and high availibility.
I have 2 sites with one AD with a 4 mega link bandwidth and one ACS for each site.
I know that it is possible to use ACS active/passive mode with replication of database.
but I also read that it's possible to use 2 groups on ACS and use HA,and my question is
In my configuration with one AD and 2 ACS, can I use this functionality ?
Is it possible to know the bandwidth between ACS in case of replication or active/active mode?
RegardsYou can make it active / active too... Second Only one AD it is not at all problem. As sson as it need one IP or Name of AD server. Specify same name at both server. It will be replicate.
Regards,
Dharmesh Purohit -
Cisco Secure ACS and Windows NLB
Hi,
I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
Thanks,
NeilNeil,
ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
Regards,
~JG -
Hi,
Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
Thanks,
Habib U DashtiHi Habib,
Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
And CAR has its own database & does not support DB-2.
Thanks. -
I have 1 Windows box running ACS and four 7505 routers configured with AAA commands. Authentication is working fine on the routers via the ACS server. Now I need to deny certain commands like "DEBUG" to certain users without taking off their administrative rights. How can I achieve this?
Hi
there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.
In ACS create some groups based on the permissions levels each group should have.
In the groups enable the shell (exec) service.
At this point you can either list the denied commands for certains groups right in the group edit page itself.
Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)
Its all there in the ACS docs!
Good luck.
Maybe you are looking for
-
How to edit other user's session from a session id?
I want to ban a person on real time for example. Website's database ban checking is on the login level. So if i ban someone the user's session must be expired and relogin. But if i change user's session attiributes it will be real time ban. Shortly h
-
Hi, I am trying to create a report using APEX. I am using a word template - report layout. but some of the columns does have html tags in the data itself. (eg <b> etc) How can I get to display this in my report. Also for some Fields I am using the Ol
-
Can't sync iPhone 5s, "Itunes has stopped working". What do I do?
all of a sudden i cant sync my iphone with itunes. i get the message "itunes has stopped working." what is wrong?
-
Create Movie for other than QT
We use Easy Worship at our church, which uses Windows Media Player. I can create a movie using FCP or FCE and burn it using IDVD and play it that way. But how can I create it so I can network it to the soundbooth into the Easy Worship Software and pl
-
I have just pard a new i phone 4s with my mac OSX,the calender is not paring its stay at aseting saying moving calender to server account.I have focet quet with now result it just stay the same