Cisco Leap with RSA SecurID (eap-securid) authentication???

Similar Messages

• Mac Lion can't connect to Cisco VPN with RSA authentication

  Hello,
  We have a problem with a manager who has upgrades his Mac to the latest Lion OS (64 bit), before uograding he could connect without any problem with his mac to our network and work on the terminal server. Since the upgrade he's not able to get it working in 64 bit (normal) mode.
  This our setup
  Cisco  PIX 515
  RSA Cisco Pix security Apliance.
  Does anybody have any advice to get this setup working.
  regards

  Hi Raymond,
  We have encounter the same issue with one of our sales director, the upgrade to MAC OS-X Lion breaks the VPN IPsec connexion. We have tryed various type of tunning with no sucess.
  Finally, as wordaround, we have installed the AnyConnect client and it works fine now.
  Vincent

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server

  Hi dearI 
  How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!

  Olivier,
  You can't reference WLP visitor roles in weblogic.xml, but you can
  reference global roles (created using the WLS console):
  - <security-role-assignment>
  <role-name>PortalSystemAdministrator</role-name>
  <externally-defined />
  </security-role-assignment>
  -Phil
  "Olivier" <[email protected]> wrote in message
  news:[email protected]..
  >
  We need to have login page to our portal app.
  When using "form based" authentication is it possible to map the securityon a
  "entitlement role" ?
  Our need is to be abled to give direct url acces to some pages of theportal (for
  exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
  Label=mypage")"
  by email to portal users) and need a simple mecanism of authenticationbefore
  redirecting to the portal page.
  Inste

• Implementation of CISCO IVR – with 2nd Level of SMS Authentication and Backend SQL Server Integration

  Hi All,
  All i need is to write a script in UCCX premium with below requirement.
  We do offer services to our customers through the IVR, the aim is to ask the Customer to register with our company, and then will be allowed to use the services from us. We want to ask the customer for second level of authentication when he is on our IVR in terms that we will send him the activation code on his registered mobile number and verification of Voice Signature by Voice Biometric System. Then he will be prompted for the services. In addition, once he has logged in then he can order new services for which we will record him request in the Database and then send him an SMS Notifications.
  Is this possible in the scripting?

  Hi,
  First customer calls in to the trigger, their will be a menu to select the language (English,Arabic,French,bla). After the language selection,
  customer will be prompted to login using their credentials (press 1),
  and if you are new user register your detail (Press 2).
  If customer press 1 , then there will a menu mentioning some company services, and customer can order those services by using his account. After successful order, sms gateway sends a notification to customer's mobile number.
  If the customer press 2 , then the registration process starts , after successful registration in the database we query the details and then send the activation code to customer's mobile number. Using the activation code he should be able to activate his account and select the services.
  Finally, this IVR should play only in the office hours. Non-working hours there will be different prompt.
  Hope you are clear about this call flow. If you have any queries please let me know.
  Thanks in advance
  Regards
  Kajen

• Authentication with RSA SecurID

  Hi,
  Can we use RSA SecurID for OBIEE Authentication? if yes, Can recomend a blog or document?
  Thanks,
  Gustavo.

  Yes, you can. But you will have to develop a Custom Authenticator.
  http://obiee101.blogspot.com/2009/03/obiee-custom-authenticators.html

• Web Authentication with RSA SecureID on a Cisco Switch

  Hi,
  I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
  I've already managed to link it in for ssh access
  but I've not managed to get it working for http / web access to the switch
  I think this is because we're using "single use" tokens for maximum security with RSA SecureID
  and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
  (okay on the first authentication, but each time after it's going to want a different token code)
  I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
  For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

  Hello Chris,
  Can you test the following configuration?
  aaa group server radius webtac_grp
  server
  cache expiry 1
  cache authorization profile httpauth
  cache authentication profile httpauth
  aaa authentication login httpauth cache webtac_grp group webtac_grp
  aaa authorization exec httpauth cache webtac_grp group webtac_grp
  aaa authorization network httpauth cache webtac_grp group webtac_grp
  aaa cache profile httpauth
  all
  ip http server
  ip http authentication aaa login-authentication httpauth
  ip http authentication aaa exec-authorization httpauth
  radius-server host key ******
  I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
  NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
  If this was helpful please rate.
  Regards.

• How can I do for ESA work with token RSA, I mean when I entry the login the authentication with RSA

  Hi there,
  How can I do for ESA work with token RSA, I mean when I entry the login, the authentication ask me the token with RSA, Is it possible???
  Regards,

  Hello Miguel,
  RSA tokens are currently not supported for login, neither to the GUI/CLI or access to the spam quarantine. There is currently a feature request"Support SecurID via RADIUS" for the WSA, if you want you can open a ticket and have either add your company to that request, or have it extended for ESA as well.
  Hope that helps,
  Andreas

• I am looking for a task app that will work with MS Exchange using SecurID. Any suggestions?, i am looking for a task app that will work with MS Exchange using SecurID. Any suggestions?

  My company uses MS Exchange with RSA SecurID. I also have an iphone 5 and i would like a good task app to manage my tasks on the go. The problem is all the task apps ive tried wont work with the SecurID. Any suggestions on a good app which will work with SecurID? thanks

  Only two devices on our plan, so not so much an issue. And I have found myself using it much more than I thought I would when we got them (also first smart phones for both of us). Even got my wife to use hers for checking email while we were out of the country (big step forward for her ). I'm very interested in the ApplePay, but will want to wait a bit before diving into it. And since both phones are still in great working order, will likely wait a bit for the upgrade (sometime next year?). Will depend, I suppose, on the kinds of deals we see and what the plans turn out to be for updating my iPad and getting here one.

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Configure cisco wlc for rsa authentication

                     Hi,
  I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
  Do we require a cisco ACS device to make this work. Please advise.
  Thanks

  Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
  •1.       RSA Authentication Manager 6.1
  •2.       RSA Authentication Agent 6.1 for Microsoft Windows
  •3.       Cisco Secure ACS 4.0(1) Build 27
      Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
  •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
  For more information you can go through this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

• No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?

  Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router?  I am replacing with an Asus router.
  thanks,
  KG

  Hi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.

• How do i connect my I-pad mini to cisco leap authentication

  I have a new I pad mini and I want to connect it to my organization wireless network, the organization is using cisco leap for authentication. 

  It has a built-in Thunderbolt cable, see here: http://www.apple.com/displays/specs.html
  So assuming your mini has a thunderbolt port (you said it's new so I assume it does), you'd just plug the display's thunderbolt cable into the mini's Thunderbolt port.

• ACS with RSA for privilege level 'enable' authentication

  Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
  Are there any tricks to this?
  Thanks in advance!

  David
  Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
  Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
  HTH
  Rick