ACS and RSA

Not sure if this is the right are but here it goes.  I have a ACS server which uses a RSA server to perform authentication.  I want to test a 2nd RSA server with the same ACS server but as far as I can tell I can only have one RSA server as an external DB.  Is there a way to create 2 seperate RSA servers?

To the best of my knowledge, if you are willing to edit/modify/create a list of users in ACS, each using SDI as an external authentication method, then you can edit/modify the group mappings/membership for each user in the ACS database. HTH

Similar Messages

  • LEAP, ACS and RSA token Card

    Hello,
    Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
    Best Regards,

    You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
    I have it working with limited functionality

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • ACS with RSA for privilege level 'enable' authentication

    Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
    Are there any tricks to this?
    Thanks in advance!

    David
    Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
    Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
    HTH
    Rick

  • ISE and RSA token groups

    We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
    Axxxx, the other Bxxxx.
    Now we try to differ the authentications for the two group. One permit, the other deny.
    I am wondering whether the ISE can do this or not.
    thanks,
    Han

    ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

  • ACS and Windows Domain / AD

    Hi All,
    In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
    Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
    Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
    I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
    Apprecaite quick help on this.
    -Satishcp

    Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
    My guess Remote Agents for Windows / Solaris works with Appliances alone.

  • ACS and Windows Server

    I have installed ACS 5.2 on a machine and I am trying to integrate with that Windows Server 2003 ( Active Directory ) . On the ACS when i do test connection it shows me sucess but when i save the setting it gives me Time error . I kept the clock and timezone of Active Directory and ACS server as same but still it gives me error . I read on one of the blog that it is better to configure NTP on a router and then sync both the devices with same NTP .
    Is it necessary to configure NTP or manual config should also work ?

    I have ran into issues like what you are seeing without using NTP. I would suggest setting up NTP and having ACS and your servers sync to that.
    Sent from Cisco Technical Support iPhone App

  • MD5 and RSA - Slow performance  - Help / Views Required

    Hi,
    I am facing a problem while signing a message.The
    scenario is:
    I have to create 20,000 messages to be sent to
    clients. I am encrypting the message using MD5 and
    RSA.
    But when i am encrypting via RSA it takes about 20
    mins to encrypt the 20k messages.I dont know why its
    taking so much time. I have max 4-5 mins to manipulate
    and send messages. The sample code is as follows:
    ur earliest help will be quite helpful.
    Thanks in advance
    Hassan
    ************** Source Code ****************
    import java.io.IOException;
    import java.math.BigInteger;
    import java.security.KeyFactory;
    import java.security.MessageDigest;
    import java.security.Signature;
    import java.security.PrivateKey;
    import java.security.spec.RSAPrivateKeySpec;
    import org.apache.log4j.Logger;
    public class Signer {
    ******************************************

    Hi Sabre,
    I have compiled the simple code from JCE tutorial for DES. The output text it is showing is different than input text.
    Is there any problem going on in tutorial's example ?
    Regards
    Hamid
    ******** output **************
    the original cleartext is: [B@13a328f
    the encrypted text is: [B@337838
    the final cleartext is: [B@119cca4
    ******** Code ************
    public class jCypher {
    private static Cipher desCipher = null;
    public static void main (String[] args) throws NoSuchAlgorithmException,
    InvalidKeyException, IllegalBlockSizeException, NoSuchProviderException,
    BadPaddingException, NoSuchPaddingException, Exception
    //Creating a Key Generator and Generating a Key
    //public static KeyGenerator getInstance(String algorithm);
    KeyGenerator keygen = KeyGenerator.getInstance("DES");
    SecretKey desKey = keygen.generateKey();
    // Creating a Cipher
    // Cipher.getInstance(Transformation);     
    // c1 = Cipher.getInstance("RSA/ECB/PKCS1Padding");     
    desCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
    // Cipher.init(int opmode, Key key);
    desCipher.init(Cipher.ENCRYPT_MODE, desKey );
    // Cleartext
    byte[] cleartext = "This is small Text for testing".getBytes();
    System.out.println("the original cleartext is: " + cleartext.toString());
    // Encrypt the cleartext
    // encrypted or decrypted data in one step (single-part operation)
    // public byte[] doFinal(byte[] input);
    byte[] ciphertext = desCipher.doFinal(cleartext);
    System.out.println("the encrypted text is: " + ciphertext.toString());
    // Initialize the same cipher for decryption
    desCipher.init(Cipher.DECRYPT_MODE, desKey );
    // Decrypt the ciphertext
    byte[] cleartext1 = desCipher.doFinal(ciphertext);
    System.out.println("the final cleartext is: " + cleartext1.toString());
    } // End main()
    }

  • ACS and Windows 2000 user database communication port

    Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
    I'm affraid to infect ACS Service.
    So, I want to install firewall on this server to block malicious traffic.
    However, my ACS used external user database Windows 2000 for authentication.
    Who can tell me What protocols or port list they are communication?
    I have to avoid these traffic on my firewall.

    Hi cheng
    I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
    For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
    Best Regards

  • Can i configure a network with ACS and ISE?

    I have both acs and ise, how do i integrate these appliance to work togheter?
    Thanks

    ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
    Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

  • DES and RSA test applet

    Hello all,
    I have to test DES and RSA with some Java Card, but I have NO idea with it.
    Is there any sample applets or any good site to learn it?
    If I can have applet files, that will be great.
    Thanks a lot,
    Julie.

    This could be an issue, for example, if there is a card that doesn't implement javacardx.crypto. Creating Cipher myCipher as a member variable would throw an exception if it's not implemented on the card. This ultimatly will prevent it from being loaded.
    Take your CAP file and try to load it with the reference implementation and you'll see what I mean. Also, try to compile, and generate a CAP file outside the JCOP IDE environment. You'll see what ticks me off about the Sun kit. It would still generate the CAP file. BUT crypto isn't implemented in the Sun Kit. It should kick out an export not found message.
    Discarding objects aren't needed because, if you notice, the JC uses a facade design pattern for the crypto implementations to assure only one instance is created. That's the getInstance() methods.

  • ACS and HA

    Hello,
    The purpose is to use a 802.1X authentication with ACS server, AD and high availibility.
    I have 2 sites with one AD with a 4 mega link bandwidth and one ACS for each site.
    I know that it is possible to use ACS active/passive mode with replication of database.
    but I also read that it's possible to use 2 groups on ACS and use HA,and my question is
    In my configuration with one AD and 2 ACS, can I use this functionality ?
    Is it possible to know the bandwidth between ACS in case of replication or active/active mode?
    Regards

    You can make it active / active too... Second Only one AD it is not at all problem. As sson as it need one IP or Name of AD server. Specify same name at both server. It will be replicate.
    Regards,
    Dharmesh Purohit

  • Cisco Secure ACS and Windows NLB

    Hi,
    I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
    Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
    Thanks,
    Neil

    Neil,
    ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
    Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
    Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
    Regards,
    ~JG

  • ACS and CAR integration

    Hi,
    Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
    I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
    Thanks,
    Habib U Dashti

    Hi Habib,
    Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
    And CAR has its own database & does not support DB-2.
    Thanks.

  • ACS and AAA deny statements

    I have 1 Windows box running ACS and four 7505 routers configured with AAA commands. Authentication is working fine on the routers via the ACS server. Now I need to deny certain commands like "DEBUG" to certain users without taking off their administrative rights. How can I achieve this?

    Hi
    there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.
    In ACS create some groups based on the permissions levels each group should have.
    In the groups enable the shell (exec) service.
    At this point you can either list the denied commands for certains groups right in the group edit page itself.
    Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)
    Its all there in the ACS docs!
    Good luck.

Maybe you are looking for