CSS 11500 - Radius / RSA SecureID Setup

I am trying to setup a CSS to use RADIUS for RSA/ACE SecureID authentication. I have already setup a RADIUS server for standard authentication using the RADIUS Attribute Service-Type = Administrative and it works. However, I am not sure how I would get it working with the RSA/ACE SecureID. Will the CSS to handle the challenge from the RSA/ACE? Are there Cisco Vendor Specific Attributes that I can send back to the CSS for this? Is this setup even possible? Any information on the specifics of this would be greatly appreciated.
Thanks,
John Spannagel

They would only get the RSA prompt for token, on ACS 4.2 you can use RSA with an LDAP group mapping to achieve RSA authentication but still pass the desired DAL based on their LDAP mapping.  The username in RSA would have to be the same as the username in LDAP for this to work.
--Jesse

Similar Messages

  • Web Authentication with RSA SecureID on a Cisco Switch

    Hi,
    I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
    I've already managed to link it in for ssh access
    but I've not managed to get it working for http / web access to the switch
    I think this is because we're using "single use" tokens for maximum security with RSA SecureID
    and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
    (okay on the first authentication, but each time after it's going to want a different token code)
    I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
    For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

    Hello Chris,
    Can you test the following configuration?
    aaa group server radius webtac_grp
    server
    cache expiry 1
    cache authorization profile httpauth
    cache authentication profile httpauth
    aaa authentication login httpauth cache webtac_grp group webtac_grp
    aaa authorization exec httpauth cache webtac_grp group webtac_grp
    aaa authorization network httpauth cache webtac_grp group webtac_grp
    aaa cache profile httpauth
    all
    ip http server
    ip http authentication aaa login-authentication httpauth
    ip http authentication aaa exec-authorization httpauth
    radius-server host key ******
    I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
    NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
    If this was helpful please rate.
    Regards.

  • RSA SecureID ACE/Server 6.1.2 integration issue with IDM2005Q4M3

    I tried the SecureID adapter with the following steps:
    1.setup the idm gateway on SecureID Server
    2.copy SecureID's apidemon.exe to gateway.exe folder
    3.add the administrator on secureid server and use it on idm resource adapter
    4.run gateway.exe -d -fsso.log -l6
    5.configure the SecureID adapter resource and test configuration is ok
    6.add a rsa_test user on IDM, then assign the SecureID resource to the user
    before step 6 every thing is fine, but the step 6 cause the IDM hangup, nothing response from gateway.
    while I assign the user with SecureID resource in IDM, the gateway trace log print the trace log below and then hanged up:
    01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/securid/SecurIdExtension.cpp,1439): Enter: login
    01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/connect/RAEncryptor.cpp,69): RAEncryptor::Decrypt3DES: input length (8) moded to 1
    my environment:
    idm 2005Q4M3 on linux
    gateway: Sun Java System Identity Manager 6.0 SP1 HF82 on windows 2003 sp1
    RSA SecureID ACE/Server: 6.1.2 on windows 2003 sp1
    Any help on RSA SecureID ACE/Server 6.1.2 integration with IDM2005Q4M3 is greatly appreciated.
    Or anybody can send me some more docs on the integration process and the check point?
    My email: [email protected]
    Please help!
    Edited by: Brave on Jan 9, 2008 4:36 AM

    Found the solution. Problem was the acecInt.dll in the System32 folder was mismatching with the one in the RSA install folder. I copied the dll from the RSA install folder to the System32 and it started to work fine.
    The error i was getting was "Get file operation with no or unknown handle aborted".

  • Load balancing PPTP (Windows 2003) behind CSS 11500

    I am wondering if you can load balance PPTP service (TCP port 1723 and GRE) behind CSS 11500, please let me know if anyone as experience with this setup.
    Irfan
    [email protected]

    No. I dont think you can load balance PPTP service behind CSS 11500.

  • CSS 11500 booting only to Offline DM mode

    Hello,
    I setup a new CSS 11500 this morning, going through the steps of setting up the administrator password, IP address for the management console etc, but when continuing the CSS went straight to the offline DM menu. Now rebooting the unit it clears all the tests, loads the operational flash but continues to go straight to the DM menu regardless whether you press <y> or not at the prompt.
    I also tried connecting via telnet to the management console but get connection refused.
    Any ideas on why the CSS boots only to the DM menu?
    Thanks in advance,
    - Trevor

    Trevor,
    once if offdm, attached a laptop with FTP Server on it on the management port.
    Then from offdm, you can configure the CSS to boot from FTP server.
    Once the box is up and running again, make sure you have an image on disk.
    Finally, you don't need a PCMCIA flash and no you should no have received one.
    Regards,
    Gilles.

  • Services with different IP address subnets over CSS 11500 series

    Hi all folks!
    I have two CSS 11500 series...
    In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
    But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
    So then the doubt i arises is:
    Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
    This would be so....
                 ________________LAN to LAN_____________________
                 |                                                                                |
                 |                                                                                |
    |------SITE A------|                                                        |------SITE B------|  
         [Firewall] ===============IPSEC============= [Firewall]               
               |                                                                                |
               |                                                                                |
    [CSS-A]-[CSS-B]                                                            [SWITCH]
           |          |                                                                     |         |         
         [SWITCH]                                                                    |         |                                                                 
    [srvA] [srvB] [srvC]                                                          [srvD] [srvE]
    So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
    So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
    This should be seen as well:
    !*************************** GLOBAL ***************************
    ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
    ip route SITE B [IP FIREWALL]
    !************************** SERVICE **************************
    service srvA
      ip address A.A.A.x
      port 8080
    service srvB
      ip address A.A.A.x+1
      port 8080
    service srvC
      ip address A.A.A.x+2
    port 8080
    service srvD
      ip address B.B.B.y
    port 8080
    service srvE
      ip address B.B.B.y+1
    port 8080
    I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
    Within their experiences that they say? Will operate?
    Thanks in advance!
    Regards!
    Esteban =)

    Daniel!
    Sorry by delay!
    Thank you so much for you time for reply.
    You have given me a great help to this doubt!
    But..using "source group" let me know..
    I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
    and
    this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
    where the NAT is configured under a method different from the previous one..
    So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
    Thanks in advance again!!!
    Have nice day!
    Regards.
    Esteban.

  • What is the appropriate product name for CSS 11500 on Bug Toolkit

    Today I tried to search DDTs of CSS 11500 on Bug Toolkit (http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl), however I can not find out appropriate product name corresponding to CSS 11500.
    Before I had searched DDTs of CSS 11500 on Bug Toolkit many times, at that time, if my memory correct..
    I selected "Cisco CSS 11500 Series Content Services Switches" in the list of "Search for bugs in other Cisco software and hardware products" on Bug Toolkit.
    But I can not find this product name today.
    Do you know what product name appropriate for CSS 11500 on Bug Toolkit ?
    Your information would be appreciated.
    Best regards,

    Hi Gilles,
    Thank you for your cooperation.
    Today, I can find the CSS at "new Bug Toolkit".
    http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
    Select Product Category: Application Networking Services
    Select Product: Cisco CSS 11000 Series Content Services
    So I understand I should go "new Bug Toolkit" instead of old "Bug Toolkit" to
    search any DDTs for CSS 11500.
    Many thanks.
    Best regards,

  • Multihoming with CSS 11500?

    Can I do load balancing between two internet ISP's (multihoming), from Internet to Web Server (inside traffic) and from Internal network to Internet (outside traffic) with a Cisco CSS 11500?

    you can connect the CSS to multiple ISP.
    With the ECMP feature, the CSS will forward the response back to where the connection came from.
    However, for outgoing connection, the CSS can't do loadbalancing over multiple ISP.
    Regards,
    Gilles.

  • Sorry Server for CSS 11500

    Hi,
    I have a question regarding sorry server configuration on the CSS 11500 series.
    Is there a way for the sorry server to ignore the URL path and always send the user traffic to the "root" page (e.g. index.html) of the sorry server web server?
    The problem I have is the redirection of the "root" page (url "/") that is configured for the normal traffic is causing the sorry page not to work since the URL path ("/psp/CUSTOMER1/?cmd=login") does not exist on the sorry page web server:
    service Sorry-Server
      protocol tcp
      port 8000
      keepalive type tcp
      ip address 192.168.2.254
      active
    service server1
      ip address 192.168.2.101
      protocol tcp
      keepalive type tcp
      port 8080
      active
    service server2
      ip address 192.168.2.102
      protocol tcp
      keepalive type tcp
      port 8080
      active
    owner Customer1
      content Content1
        vip address 192.168.1.101
        port 80
        protocol tcp
        url "/*"
        balance aca
        advanced-balance arrowpoint-cookie
        flow-timeout-multiplier 6
        add service server1
        add service server2
        primarySorryServer Sorry-Server
        active
      content Content1-Redirect
        redirect "/psp/CUSTOMER1/?cmd=login"
        vip address 192.168.1.101
        port 80
        protocol tcp
        url "/"
        active
    Thanks in advance for your help!
    Best regards,
    Harry

    Hi again,
    During a maintenance window I made the following change and that made things a bit better:
    service Sorry-Server
      type redirect
      keepalive type none
      redirect-string "192.168.2.254:8000"
      active
    However, since the redirect string points to a private address, Internet users are not able to access the URL.
    As a work-around I sent the redirect to a new content rule with a public address and then configured a second sorry page server:
    service Sorry-Server
      type redirect
      keepalive type none
      redirect-string "sorry.example.com:8000"
      active
    service Sorry-Server-2
      ip address 192.168.2.254
      protocol tcp
      port 8000
      keepalive type tcp
      active
    owner Customer1
      content Content2
        vip address x.x.x.x
        add service Sorry-Server-2
        port 8000
        protocol tcp
        active
    Is there a better way to do this?
    Best regards,
    Harry

  • Cisco CSS 11500 and RDP

    Dear NetPros:
    Does anyone know that does Cisco CSS 11500 Series Content Services Switch support 'Session Caching of RDP Clients? session for roaming of disconnected sessions' features?
    Thanks
    Bernard

    The Cisco CSS 11500 is a compact modular platform, specifically designed to provide robust Layer 4-7 traffic management services for e-business applications in Internet and intranet data centers.
    This URl should help you:
    http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns254/networking_solutions_package.html

  • CSS 11500 - Change name device

    Hi,
    I need to change the device name (hostname) of my CSS 11500. How I can do that? I'm searching since some hours without result.

    to avoid having to retype the name after each reboot, you have to do a save_profile.
    Gilles.

  • CSS 11500 url path rewrite and NAT

    Hi,
    We are evaluating a CSS 11500 and try to configure url path rewrite and NAT, but we have some problems.
    What we would like to do is the following:
    http://www.example.com/path1 -> http://host1:80
    http://www.example.com/path2 -> http://host1:8080
    http://www.example.com/path3 -> http://host2:80
    The address www.example.com is resolving to a valid internet address, whereas host1 and host2 resolves to private IP addresses.
    The client should always see the external url (e.g. http://www.example.com/path1/...) and the CSS should do the necessary translation.
    Any help would be very much appreciated!
    Regards,
    Harald

    Hello Experts, I'm new with this cisco stuff too(just got it 3 weeks ago), but here is some of my experience with cisco css 11501.
    First : Service ServerName, there is a port setting here, but from my experience, I think it is related with KeepAlive option, so, port is alternate way to know if the server alive or not.
    Second : When you send request to cisco css, the port option in content port will be the cisco css port to accept request, so, if you send a request to http://vip:8080/, all service must be in the same port too to balance the request, in this case, port 8080, if one service port 80, i'm sure the css will not hit the server.
    Third : To solve your problem...
    http://www.example.com/path1 -> http://host1:80 (ipA)
    http://www.example.com/path2 -> http://host1:80 (ipB)
    http://www.example.com/path3 -> http://host2:80
    if you are lazy to buy new nic, just set subinterface/ip alias on the host1, and make the webserver only bind to specific address, not to all interface...
    O yea, about your path1/path2/path3 -> /, hmm, i'm still asking in this forum about path changing cause until now, i haven't know how to do this, i know about apache rewrite module, and success do this, if only i know about this in cisco css too :-(
    I'm sorry if I make mistake, I'm just telling my experience...

  • Do CSS 11500 series allow remote SPAN?

    Hi,
    I found SPAN (Switch port analyzer) is available on CSS 11500 series, but could only found destination must be local. Is it possible to do remote SPAN and make the destination be in another remote switch?
    And how many local span sessions are allowed?
    Thanks,
    Rgds
    Jorge

    Cisco WebNS Software Version 7.20 delivers support for a new Cisco CSS 11501 model and Cisco WebNS Software 7.20 supports SPAN the features.
    Switched Port Analyzer (SPAN) or port mirroring is useful for network analysis?a copy of the packets received or transmitted by a source port is sent to a designated destination port.
    Kindly go through these links to get detailed information:
    http://www.provantage.com/cisco-systems-css11503-ac~7CSCO288.htm
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_release_note09186a008077c440

  • CSS 11500 Series Query

    Hi
    I have 2 CSS 11500 series units working in a master / slave configuration.
    Both units are identical in regards to hardware, IOS, etc.
    1 unit allows the running config to be saved by the ' copy run start' command where the other goes through the motions of saving, but a 'show startup-config' shows nothing.
    This unit seems to be operational in every other regard. Is this a hardware fault or am I missing a software command somewhere along the way ?
    Thanks
    Ian

    You get such problems when the device is running short of memory. Try increasing the DRAM because what is happening is that the device saves the config in the NVRAM but it does not have enough DRAM to display the configuration when the "sh startup-config" command is executed. A temporary solution is to restart the device, if the problem persists then you have to upgrade the memory.

  • CSS 11500 Certificate Signing Request (CSR)

    Would any of you know if and how to configure / general a wildcard or multi-domain SSL certificate on a CSS 11500 appliance? The "SSL gencsr ..." command doesn't seem to allow me to add more than one domain name during the information gathering.
    Any help or input would be greatly appreciated.
    Thanks,

    WildCard certs are supported on CSS.
    The only thing that makes it a CSR for a wildcard certificate would be that the common name would be something like "*.yourdomain.com".
    Since a wildcard certificate represents multiple domains, it can be re-used on the
    multiple https content rules of different IPs.
    The CSR procedure for a wildcard certificate on the CSS is not different than the CSR
    procedure for a regular certificate (You just need to put something like "*.yourdomain.com" in front of common name):
    CSS11506(config)# ssl gencsr app1key
    Country Name (2 letter code) [US]US
    State or Province (full name) [SomeState]CA
    Locality Name (city) [SomeCity]San Jose
    Organization Name (company name) [Acme Inc]Yourdomain Inc.
    Organizational Unit Name (section) [Web Administration]SSL Admin
    Common Name (your domain name) [www.acme.com]*.yourdomain.com
    Syed

Maybe you are looking for

  • How do I find old music purchases?

         I have a complete U2 album that I did not choose to pay for or even authorize for that matter, but I have had it for a while being I didn't know you could get refunds for previous purchases( I know I am terrible with technology) I need to know h

  • Can one apple base be connected to another apple base station with ethernet?

    Can one apple base be connected to another apple base station with ethernet?

  • Error when unzipping a file

    Im trying to unzip a program to jailbreak my iphone and when i try to unzip the file, i get the following error message. Unable to archive "greenpois0n-osx_rc5.zip" into "Downloads". (Error 1 - Operation not permitted.) How do i unzip this file?

  • Laptop shuts down after sleep mode, help please!

    When I close the lid or press the sleep mode button, my laptop goes into sleep mode and everything is ok. However, when I open the lid or press the power button to awake it... after a few seconds, my laptop shuts down! I just formatted my laptop to t

  • How can I limit searches to documents only, not emails?

    When I do a search for documents containing a particular word, I would like it to find documents -- not emails containing that word. How can I "turn off" searching emails?