ACS appliance -- AD -- RSA Securid Server

Similar Messages

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ISE Not Authenticating Against RSA SecurID

  In the process of integrating ISE 1.2 into our environment with the eventual intent to replace ACS 5.x and having a challenge adding an RSA SecurID server as an external identity source.
  In ACS, we would create an internal user but configure the password to be handled externally and uses PAP or whatever to communicate with RSA.
  I don't see this option in ISE, only to use the RSA SecurID as a direct Identity Source, the problem is that if I try to authenticate to ISE using a device such as an iPhone, which is using MS-CHAPv2 by default, it produces an error in the authentication logs that the device is using a protocol not supported by the identity source.
  So what is the proper way to configure ISE to allow users to authenticate with a one-time-password against RSA SecurID?

  check the following link for Integrating Cisco ISE with RSA SecurID Server
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1080334

• ACS Appliance Upgrade

  I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

  Hi,
  Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
  If I am not mistaken, the error you're getting was due to unavailability of distribution server.
  If you stuck with the image transfer, try to use CLI/console mode.
  Typicall upgrade method has 3 steps:
  1. Load new image (download from Cisco or using CD) onto a distribution server.
  2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
  3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
  Refer to the following url for complete upgrade processes & options:
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
  Rgds,
  AK

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• Web server will not start due to RSA Securid errors

  We have an iPlanet 4.1 Service Pack 14 web server that was running fine until last friday. When we go to start the server we get the following error:
  Status:
  [https-ivpnas]: start failed. (2: unknown early startup error)
  [https-ivpnas]: conf_init: Error running init function securidinit: unknown error
  [https-ivpnas]: server exit: status 1
  Error
  An error occurred during startup.
  The server https-ivpnas was not started.
  The error log also contains this additional error:
  [27/Sep/2004:10:06:57] info ( 4164): successful server startup
  [27/Sep/2004:10:06:57] info ( 4164): iPlanet-WebServer-Enterprise/4.1SP14 BB1-01/15/2004 13:04
  [27/Sep/2004:10:06:58] catastrophe ( 4164): securidauth reports: InitAceClient returned FALSE
  This website uses RSA Securid for authentication. We have contacted RSA and they think it is a webserver problem. Any insight anyone can provide would be great. Thanks!

  The error message is generated by the RSA plugin, not Web Server. RSA should be able to help diagnose the problem further.

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• ACS Appliance User DB to new non-appliance ACS server

  Is it possible to replicate an ACS appliance user DB and replicate it on a new non-appliance ACS server. We're adding additional ACS servers and don't want to re-create all the groups and mappings. Think of it as ghosting an appliance and restoring it on a new server. Thx

  Here is the link,
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml
  Here is the troubleshooting check list, in case you face any issue,
  1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
  2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
  3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
  4) Ensure that the secondary server has it's replication scheduling set to "manual".
  5) Please verify that your servers are all running exactly the same ACS version and build.
  6) Also let me know if we have any firewall in between two acs servers.
  Regards,
  ~JG

• External Identity Sources, binding RSA securID to ISE

  Hi all,
  Say, my topology was using ISE doing VPN inline posture, and bind RSA securID (version 7.1) as external Identity Sources.
  During  the deployment, in order to let my iPEP node join the Policy Service  Node, for the certificate i using the third party CA server (Window  server 2008 R2) as the root CA, both of these 2 ISE were mutual  authenticated and done.
  My question. as i using  RSA secureID as external identity sources, native behaviour, Will the  ISE trust RSA with no identity certificate signed by the identitical  root CA?
  Should i enroll this RSA appliance issue the CSR to CA server to sign and in the PKI environment? Is there a need for this?
  Thanks
  Noel

  Noel,
  From my experience when integrating with the RSA token server you need the sdconf.rec file exported from the RSA and you import that into the ISE configuration. You then select this identity store with your authentication policies for vpn users. There isnt a need for any certificates when integrating with a token server (that was the last time I checked) and even if there would just need to trust each other's certficats.
  I hope that helps!
  Sent from Cisco Technical Support iPad App

• ISE Authentication Policy for RSA Securid and LDAP for VPN

  We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
  Here is my question:
  Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
  Thanks,
  Joe

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• ACS Windows vs ACS Appliance

  I have ACS 3.3 running on Win2k and am looking to upgrade. Would it be a better idea to get the ACS appliance instead? What are the pros/cons?

  Hi
  Personally I wouldnt choose an appliance over software. Cost aside they are harder to integrate (esp if you use AD), harder to diagnose and patch.
  From experience I know ACS sometimes needs a little TLC to keep it working. ACS v3/v4 was not designed as appliance software. This has been retro-fitted with all the issues that go with it.
  ACS v5 is supposed to be appliance from day 1 so maybe that'll be ok!
  This is my own personal view, Im sure there are a lot of happy appliance owners out there.
  Main differences
  1) Appliance cant talk direct to AD. You need to install an agent somewhere (possibly requiring a dedicated windows server.. ouch what happened to lower TCO!)
  2) No native ODBC, RSA (done via RADIUS instead)
  3) Logging. CSVs hard coded to rollover at 10MB. Requires log agent or extraxi csvsync to collect logs.
  If you like to be "hands on" stick with s/w

• SGD 4.31 Can't get RSA securid test to work - hangs

  root@stargate # /opt/tarantella/bin/bin/ttasecurid test
  log_msg=ttasecurid version 4.31.905
  ^C
  [it hangs]
  Then I checked /var/adm/messages, and this message is there
  Sep 19 10:28:45 stargate ttasecurid[1410]: [ID 940005 user.error] ACEAGENT: The message entry does not exist for Message ID: 1002
  This appears to be a message saying the message is not found.
  We have our SGD server on the outside of the network and the RSA secure appliance on the inside. I've had the network engineers open up UDP port 5500 from the SGD server to the RSA appliance. There is no firewall rules blocking traffic from the RSA appliance to the SGD server.
  I've followed the setup doc as on the RSA website, which ties in with the Sun doc that is part of SGD.
  This is not a very documented area, and not having a proper error message doesn't help either.
  Any ideas from anyone with experience setting these two up to talk to each other would be welcomed!
  Terry

  The documentation here indicates you'll also need to open up 1024/udp to 65535/udp
  The correct usage of the ttasecurid test command is to type:
  */opt/tarantella/bin/bin/ttasecurid test*
  cmd=authenticate id=<user> username=<user> passcode=<passcode>
  The log monitor on the SecurID server should then indicate a connection has been made, etc.

• ACS appliance 3.2.2.5 Remote Agents for Windows DB disappear

  I have two ACS boxes: one is ACSNT and the other an ACS appliance. Both run 3.2.2.5 and have been in production for quite some time. The ACSNT box is the primary and replicates to the appliance as backup. These units authenticate to three different Windows domains: 2 NT domains and 1 AD.
  Recently I just added support for RSA 6.0 servers. Not wanting to mess with the client install on the ACSNT box, I set it up as a RADIUS token server as you do on the appliance. It works just fine on the ACSNT box. On the appliance, however, my Windows external DB quit working with "external db not operational" messages. I rebuilt the Windows external DB, recreated the group mappings, added the remote agents, etc. Things were working fine. I recreated the RSA config and still the Windows DB was working although the RSA config was not working (still working on that if TAC ever calls me back). A few hours later, I decided to check the Windows DB and it was broken again. I checked it out and the remote agents were somehow deleted. Nothing in the logs show it but they were gone. I recreated them and it worked again. This has happened twice now. Does anybody have any advice? The logs show nothing to indicate a problem on the appliance exists and of course the docs state that there should be no problem with both a RADIUS and Windows DBs living together on the same box. All comments welcome!
  Thanks,
  Rik

  Sorry it took so long to get back...I've been out of the office for a few days.
  I did check the the docs for issues like this but found nothing. The TAC Engineer escalated it and both engineers kept saying my new RSA servers were causing my issues. However, a simple reboot of the box (it is built on Win2K after all...) cleared up all of the strange issues.
  Thanks,
  Rik Guyler

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian