Cisco ISE and SecurID Integration Questions

I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
Thanks!

The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
Have you already gone through the below listed link?
http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
Regards,
Jatin Katyal
- Do rate helpful posts -

Similar Messages

  • Cisco ISE and Admin CLI question

    Hi there. 
    I have strange problem with my ISE installation. First of all I use AD users for authentication. It works fine over HTTPS. I can login with my AD admin by HTTPS.
    The problem starts when I try to login via CLI (SSH). I got login prompt. When I type my AD credentials it says "Login Incorrect" and I got the same result if I try with the local admin account.
    I did try to reset the local admin account password via HTTPS to verify that type the correct password. But no effect.  
    My ISE is installed on VMware. 
    Any experiences with this one?
    BR.

    The CLI authentication which is the base Linux OS is not/cannot be tied to AD for admin authentication. You only integrate the application installed on the top of Linux, which in this case is ISE, to AD. So to login to the cli shell you will need to use the username/password that you configured during setup. If you don't recall those you will need to perform a password rest via the installation CD/ISO
    Thank you for rating helpful posts!

  • ISE and LDAP Integration

    Hello,
    I have a question about the LDAP integration with the ISE:
    Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
    What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
    Even I tried to change the base DN and the search DN but without luck.
    The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
    Is there any missing information/tips required in such integration?

    Hello,
    I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
    This section contains the following:
    •Directory  Service
    •Multiple  LDAP Instances
    •Failover
    •LDAP  Connection Management
    •User  Authentication
    •Authentication  Using LDAP
    •Binding  Errors
    •User  Lookup
    •MAC  Address Lookup
    •Group  Membership Information Retrieval
    •Attributes  Retrieval
    •Certificate  Retrieval
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913

  • ISE and PI Integration

    Dear All,
    What are the configuration required on ISE to integrate with Prime 1.3.0.20?
    On PI side, I have added ISE in the below path
    Design-> External Management Servers -> ISE Servers.
    Apart from this anything else to be done on PI..?
    Thanks in advance.

    The stuff to do on the ISE is set up as a Radius Server for your client authentication. When ISE acts as a radius server, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to be visible in a single console on PI.
    The point to remember is that PI is a management sloution for wired and wireless clients, while ISE acts as ACS and NAC combined. Recall that ACS on its own could not do posture validation without NAC.
    Cheers

  • Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

    With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
    Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
    Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
    Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
    Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
    Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    OOPS !!
    I will repost the whole messaqge with the correct external URL's:
    In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
    TrustSec Home Page
    http://www.cisco.com/en/US/netsol/ns1051/index.html
    http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
    I find this page very helpful as a top-level start to what features and capabilities exist per device:
    http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
    The TS 2.1 Design Guides
    http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
    DesignZone has some updated docs as well
    http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
    As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
    http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
    http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

  • Inline Posture between Cisco ISE and Wireless LAN Controller

    Hi,
    I was looking into Cisco ISE solution for deploying NAC.
    I have a question about the network topology.
    In  the user guide documents of cisco ISE, it is written that for Wireless  LAN Controllers (WLC) and VPN devices, an additional server, Inline Posture, is needed.
    However, in the following integration document, there is not an inline posture between WLC and Cisco ISE server.
    https://supportforums.cisco.com/docs/DOC-18121
    I  want to know if Inline Posture is a requirement, if not a  requirement, what are the benefits of having it between Cisco ISE Server  and WLC.
    Thanks & Regards
    Sinan

    Hello,
    Please go through below mentioned links which might be helpful for you.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html
    http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_deploy.html
    Best Regards,

  • HTTP Error 403 - Forbidden on Cisco ISE and SCEP RA

    Dear Experts,
    We are in process of deploying ISE 1.2 in our environment for BYOD.
    The initial step of this process is to configure ISE as an SCEP Proxy and it requires certain configuration on the local CA. We have done all the required configurations on the local CA server.
    Now, when we try to connect ISE with the local CA using SCEP RA Profiles, it gives "HTTP Error 403 - Forbidden". The URL we are using is http://ipaddress/certsrv/mscep/mscep.dll.
    It seems that the local CA is not letting the ISE access the mscep.dll file. Now I dont understand how to allow ISE to access this file or the url. Please advise if there is any step by step process guide. Although, I have followed the ones from Cisco but it doesn't state how to give ISE the required rights for accessing mscep.dll.
    Thanks in advance.
    Jay

    Jay,
    You should use this URL:
    https://ipaddress/certsrv/mscep
    If you try to get the cert from an http address, you will get an error.  You should be using https.  Also, the mscep.dll should not be part of the URL.
    You can test this connectivity from any browser by putting that URL in the sddress bar.  You should see a page similar to this:
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE and authentication for 802.1x printer

    Hello
    What is the best practice to authenticate a 802.1x printer in Cisco ISE?
    The printer can store a certificate for authentication and support EAP-TLS.
    Thanks for answer.
    Marco

    EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
    I hope this puts you in the right direction!
    Thank you for rating helpful posts!

  • Cisco ISE and NDES?

    Wanting to use Cisco ICE in front of Windows Server 2012 or R2 NDES.  The following article states that NDES should NOT be clustered or load balanced and setting a single password is not supported.
    https://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx#Can_I_use_a_Static_Passphrase_across_multiple_NDES_servers_and_then_load_balance_them
    The Cisco article says to disable the password altogether and lock the IPs down to the ISE devices in IIS that will access NDES.
    http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml
    If NDES is configured this way and dedicated to Cisco ISE will this be a supported configuration by Microsoft?  If the password is turned off altogether can two NDES servers then be load balanced as the password generation is not an issue.
    Thanks

    Hi,
    Please refer to this article.
    CA cluster and NDES
    http://blogs.technet.com/b/techniatures/archive/2011/07/07/ca-cluster-and-ndes.aspx
    Regards,
    Mike
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • ISE and AD integration

    Hello All,
    Can anyone tell me what are all the prerequisites when integrating ISE with AD..?
    Thanks in advance.

    Hi Prasan,
    Before you connect your ISE server with the Active Directory domain, you must check the following:
    •Ensure that Cisco ISE hostnames are only 15 characters or less in length. Active Directory does not validate hostnames larger than 15 characters, which can cause a problem if you have multiple ISE hosts in your deployment whose hostnames are identical through the first 15 characters and only distinguished from one another by trailing digits or other identifiers.
    •Ensure that your ISE server and Active Directory are time synchronized. Time in the ISE is set according to the Network Time Protocol (NTP) server. It is recommended that you use the NTP to synchronize time between the ISE and Active Directory. For more information on NTP server settings, see the "System Time and NTP Server Settings" section.
    Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 1.1 for information on how to configure the NTP server settings from the CLI.
    •If there is a firewall between ISE and Active Directory, certain ports need to be opened to allow ISE to communicate with Active Directory. Ensure that the following default ports are open:
    otocol
    Port Number
    LDAP
    389 (UDP)
    SMB1
    445 (TCP)
    KDC2
    88 (TCP)
    Global Catalog
    3268 (TCP), 3269
    KPASS
    464 (TCP)
    NTP
    123 (UDP)
    LDAP
    389 (TCP)
    LDAPS3
    636 (TCP)
    1 SMB = Server Message Block
    2 KDC = Kerberos Key Distribution Center
    3 LDAPS = Lightweight Directory Access Protocol over TLS/SSL
    •The Active Directory username that you provide while  joining to an Active Directory domain should be predefined in Active  Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.
    •Ensure that your Microsoft Active Directory Server does not reside  behind a network address translator and does not have a Network Address  Translation (NAT) address.
    Supported document:
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1059011
    Jatin Katyal
    - Do rate helpful posts -

  • Cisco ISE and WLC Access-List Design/Scalability

    Hi,
    I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
    User group 1 -- Apply ACL 1 --On Vlan 1 
    User group 2 -- Apply ACL 2 -- On Vlan 1
    User group 3 -- Apply ACL 3 -- On Vlan 1
    The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
    Any suggestion is appreciated.
    Thanks.

    Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
    The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
    Overall, I see three ways to overcome your current issue:
    1. Shrink the ACLs by making them less specific
    2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
    3. Use SGT/SGA
    Hope this helps!
    Thank you for rating helpful posts!

  • Cisco ISE and Fast User Switching

    Greetings,
    In our deployment, we are interested in utilizing the "Fast User Switching" that is contained within the Windows Functionality.   After searching for quite a while, I see that the native Windows supplicant is not compatible with Fast User Switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant I would need to research in order to allow for the User Switchign Functionality?
    We are currently using ISE 1.2 Patch 4.
    Thank You for any assistance.
    David

    The  NAC Agent for Cisco ISE does not support Windows Fast User Switching  when using the native supplicant. This is because there is no clear  disconnect of the older user. When a new user is sent, the Agent is hung  on the old user process and session ID, and hence a new posture cannot  take place. As per the Microsoft Security policies, it is recommended to  disable Fast User Switching.
    Source:
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html

  • Cisco ISE and forest trusts vs domain trusts

    Hi All,
    Is there any issues with forest trusts with Cisco ISE ?
    I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
    They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
    I can search and get lists of AD groups ok for the remote domain. 
    Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
    I have done "leave" and "join" domain again.
    In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
    Cheers
    Peter. 

    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
    Kindly find the steps on the page no.170

  • Cisco ISE and Switch 3560-X

    Good Morning,
    I am conducting an implementation of Cisco ISE version 1.2.1.198 with all its features on a switch 3560-X and in the ISE compatibility chart the minimum version for this switch would be the IOS v 15.0.2-SE2 (ED).
    My doubt is whether i need the feature ipbase or just the lanbase would be sufficient to meet all the features of 802.1x for the Cisco ISE.
    I appreciate the attention and Thanks,

    Please see the "Cisco Secure Access and Cisco TrustSec Release 5.0 System Bulletin".
    It notes that the 3560-X requires IP base license for all the 802.1X features.

  • Cisco ISE and external syslog server

    Hi Security Experts,
    We are starting with deploying cisco ISE (Identity Services Engine) in our network. We have allocated 250GB space for (Admin+Monitor) ISE node.
    I want to know if we can send the logs from monitoring node to external syslog server after a defined time interval.
    For example, logs which are more than 10 days old should be sent to external syslog server. So basically our monitoring node will have logs which are at the max 9 days old. Is it possible? Could you point me to some doc which explains configuration of the same?
    Thanks,
    Kashish

    No this isnt possible via syslog. What you are looking for is database purging, so that the monitoring database is purged after a specific time interval. Here is a guide that will help shed some light on this:
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1054328
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • How can I correct "hidden" text in a searchable PDF file?

    This seems like a simple question. However, the answers are invariably complex, do not yield the desired result, and often answer a different question entirely. I say all that just to warn people up front that the "problem" is easier than how many pe

  • Can you run a small network with different versions of OSX?

    Snow Leopard has been freezing on me over and over, but I have hesitated to upgrade until we had a home finance program that worked on later systems. We have three Macs on wireless network (Airport Extreme)-- can I jump two versions of OSX on mine an

  • Caps Lock

    I have a mid 2009 15in Mackbook Pro and before I had an issue with Safe boot I noticed everything wrote was in caps without me selecting the caps lock button.

  • Looking for Simple Archiving Catalog Software

    I  have previously used AutoCat. Simply drag and drop a folder and AutoCat copies the folder hierarchy and makes aliases of all the files. I keep this a catalog to be able to simply find all of my files by a search through the finder. It tells me the

  • OS X 10.5 System Recovery

    I have an iMac G5 running OS X 10.6 - or at least it was.  I recently ran into a problem where my computer would not boot; it would get to the grey apple screen with an endlessly spinning pinwheel.  I've determined that I need to re-install the OS.