Dot1x/ACS3.0/RSA ACE server 5.0

Similar Messages

• RSA ACE server SYSLOG collector, Parsing help!

  Hi Board.
  I am in a very big hurry for developing a RSA ACE collector script. The
  already released RSA ACE Collector script is file based and the RSA ACE
  server can dump a CSV log report with an interval of a hour as the
  fastest possible interval. This is not at all satisfying for the
  customer which - due to the latest issue with hacking attacks on EMC's
  network both announced in the press and by letter from EMC and to their
  customers - is not at all acceptable. They need to have logic for
  pattern searches and correlation rules that can respond as close to real
  time as possible.
  We have with success and without any troubles or big efforts installed
  the SNARE agent on the RSA ACE Appliance box. We are receiving the
  events from the RSA server correctly (or we are receiving the events as
  unsupported events because the events is not parsed correctly, but all
  the needed information is there) and I have started development of a new
  Collector script based on the Generic Event Collector (Just
  doubleclicked on New Collector script in the Ant menu).
  So far I have tryed some different approaches. I know that I can totaly
  manipulate with the events received from the Source because I can
  pre-set values via the protoEvt.map file. Even further have I been able
  to set some other values in the Parse function by using the rec2Evt.map
  and then hardcode a value to the desired field by using
  rec.-input_record_field-.
  Therefor I am pretty convinced that I am on the right track.
  Now here is my question:
  Based on this copy-pasted s_RXBufferString value (IP addresses and
  host+domain values changed for protecting the customer):
  Code:
  Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
  *NB!* Swap out [tab] with tablulator delimiter!
  I have tryed this approach (this is the entire Parse Functiomn):
  Code:
  var ValueArray = this.s_RXBufferString.split("\\t");
  rec.msg = this.s_RXBufferString;
  var SourceInfo = ValueArray[0];
  rec.sun = ValueArray[1];
  //e.InitServiceName = ValueArray[1];
  //rec.Service = ValueArray[1];
  //e.EventTime = ValueArray[5];
  //rec.EvtTime = ValueArray[5];
  //e.VendorEventCode = ValueArray[6];
  rec.evtCode = ValueArray[6];
  e.DeviceName = ValueArray[7];
  rec.sun = ValueArray[8];
  //e.EffectiveUserID = ValueArray[8];
  //var OSInitUser = ValueArray[8];
  //e.InitHostName = ValueArray[11];
  rec.shd = ValueArray[11];
  //ValueArray[12] = ValueArray[12].ltrim();
  var AppSpecificMessage = '';
  for(var t = 12; t<count(ValueArray); t+1)
  AppSpecificMessage += ValueArray[t];
  //e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
  rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
  var A = AppSpecificMessage.search('\(.+\)');
  //e.EventName = 'Debugging RSA';
  //e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
  rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
  AppSpecificMessage = AppSpecificMessage.match('\(.+\)');
  // var B = AppSpecificMessage.search(')');
  //var B = AppSpecificMessage.search(')');
  // var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
  // var BaseTmpArray = BaseInfo.split(';');
  // var BaseArray = new Array();
  /*for(var i = 0; i<count(BaseTmpArray); i+1)
  var str = BaseTmpArray[i].ltrim();
  var TempAr = str.split(':');
  BaseArray.push(TempAr[1].substring(1,-1));
  /*var AgentArr = BaseArray[6].split(".");
  AgentArr.reverse();
  AgentArr.pop();
  AgentArr.reverse();
  e.InitHostDomain = AgentArr.join(".");
  //rec.InitDomain = AgentArr.join(".");
  e.InitHostDomain = "corp.ad.local";
  if (ValueArray[10] == "Information")
  rec.sev = "0";
  //e.Severity = "0";
  else if (ValueArray[10] == "Warning")
  rec.sev = "3";
  //e.Severity = "3";
  else if (ValueArray[10] == "Error")
  rec.sev = "4"
  //e.Severity = "4";
  else
  rec.sev = "1";
  //e.Severity = "1";
  //e.InitUserID = BaseArray[0];
  rec.LoginName = BaseArray[0];
  //e.InitUserName = BaseArray[1];
  rec.UserName = BaseArray[1];
  //e.customerVar35 = BaseArray[2];
  //rec.Token = BaseArray[2];
  //e.customerVar36 = BaseArray[5];
  //rec.Agent = BaseArray[5];
  instance.SEND_EVENT = true;
  // parsing logic goes here
  /*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
  instance.SEND_EVENT = true;
  // If you can't parse...
  //rec.sendUnsupported();
  return true;
  But it just laughs at me and wont work. It states that there is a
  parsing error: match function something with input.
  Can you please help me build a logic that will work as intended? It
  should be clear what information or which piece of the text that I try
  map to which Event fields (look at the outcommented bits right above or
  below the ones that point to a rec.something because there I have tryed
  just map the information directly).
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

  > - I'm not sure I understand why you replace the tabs with '|' just to do
  > the split; why can't you just split on tab? You can also investigate our
  > 'safesplit()' method, which understands quoted delimited strings:
  > Novell Login
  > (not sure that's necessary in this case)
  I replaced the tabs with '|' foir easier regex searchess for both
  numbers, alphanummeric and spaces in same match cases - but with the
  opportunity to index better for those searches because I did not need to
  worry about the tabs being recognised as whitespaces anymore.
  The safesplit works fine with '|' but not for this one:
  Code:
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  It reports that: "Cannot find function safesplit".
  If I change that to:
  Code:
  var AppSpecificArray = AppSpecificMessage.split(/\;/);
  It reports that: "Cannot find function split".
  > - The 'substring()' method is defined as taking two arguments:
  > from Required. The index where to start the extraction. First character
  > is at index 0
  > to Optional. The index where to stop the extraction. If omitted, it
  > extracts the rest of the string
  > Neither of those two arguments will *ever* be negative - they always
  > count from the beginning of the string. What you're really trying to do
  > is to extract the substring from the beginning +1 character, to the end
  > -2 characters, which is not how substring() works. But you *can* do
  > something like:
  > this.evt = Msg.substring(1,Msg.length - 2);
  >
  Aha I see. Thanks for the info. However, I tried the suggested this.evt
  = Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
  "substring" of null. Remember that I have already testet and verified
  that I do have a value in the Msg variable.
  Here is the newest code. Please notice that I have outcommented the
  desired "result" and is just trying to get something from at least the
  part of the string that I want to parse.
  Code:
  this.msg = this.s_raw_message2;
  var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
  var ValueArray = TempTxt.safesplit("|");
  var SourceInfo = ValueArray[0];
  this.evtCode = ValueArray[6];
  this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
  e.DeviceName = ValueArray[7];
  //AppSpecificMessage = TempTxt.match(/(?:\().+(?:\))/);
  var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:\()/);
  this.evt = Msg.substring(1,Msg.length - 2);
  //this.evt = Msg;
  AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:\))/);
  if (ValueArray[10] == "Information")
  this.sev = "0";
  else if (ValueArray[10] == "Warning")
  this.sev = "3";
  else if (ValueArray[10] == "Error")
  this.sev = "4"
  else
  this.sev = "1";
  if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
  //var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
  //var AppSpecificArray = apptemp.safesplit(";");
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  for(var c = 0; c<count(AppSpecificArray); c + 1)
  var key = AppSpecificArray[c].split(/:/);
  if (key[0] == "(Login")
  if (key[1] == "''")
  this.iuid = ValueArray[8];
  else
  this.iuid = key[1];
  //this.iuid = key[1].substring(1,key[1].length - 1);
  if (key[0] == " User Name")
  if (key[1] == "''")
  this.sun = "System";
  else
  this.sun = key[1];
  //this.sun = key[1].substring(1,key[1].length - 1);
  if (key[0] == " Agent Host")
  if (key[1] == "'')")
  this.shd = "Unknown Host Domain";
  else
  //var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
  var TempArr = key[1].plit(/\./);
  TempArr.reverse();
  TempArr.pop();
  TempArr.reverse();
  this.shd = TempArr.join(".");
  if (key[0] == " Token")
  if (key[1] != "''")
  e.CustomerVar35 = key[1];
  //e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
  else
  this.shd = "Unknown Host Domain";
  this.iuid = ValueArray[8];
  this.sun = "System";
  instance.SEND_EVENT = true;
  return true;
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

• Wireless WPA2 + AD + RSA ACE Server possible

  I have a client that wants to use WPA2 authenticated to the Windows Active Directory and also has an RSA ACE Server. The goal os to provide 802.1x security with these 3 devices. I am NOT looking to USE the RSA tokens for this, only the underlying RSA RADIUS service to authenticate clients. Is this possible or do I also need a ACS server?
  The alternative is to use Wireless WPA2 + AD + Windows IAS RADIUS.
  Thanks for any comments,
  Chris Serafin
  Security Engineer
  [email protected]

  Hi Chris,
  I don't think you can use the RSA's radius server without using tokens. If you are looking to authenticate to Active Directory then either use Wireless + IAS + AD or use Wireless + ACS + AD
  There will be no need to bring the RSA into the solution.

• Rsa/ace server radius authentication

  Hi ,
  I am in the process of setting up cisco routers/swithces to authenticate to an RSA/ACE radius server. Basically I would like it to work as follows.
  SSH/Telnet to router switch.I have ace side configured. I have added the necessary users to authenticate list on agent host.
  Username:joebloggs
  Password : ( rsa secure id token here ). Do I have to authenticate then using enable password or what is best practice here ??
  router>en
  router#
  I have the following lines added so far and need some help on the aaa authentication as there seems to be a lot of options
  aaa new-model
  aaa authentication banner # Connection to this device is for authorized users only #
  aaa authentication fail-message # You are not authorized to log on to this device #
  radius-server host x.x.x.x auth-port 1645 acct-port 1813
  radius-server retransmit 3
  radius-server key xxxxxx

  francis
  if you want users who telnet/SSH to vty ports or who are on the console to authenticate with the radius server you should add something like this to your configuration:
  aaa authentication login default group radius line
  This will send an authentication request to the configured radius server and if there is an error from the radius server (this is different from a negative response) then the router will authenticate using the configured line password. This will work for both telnet and SSH connections and for login from the console.
  You are correct that there are quite a few optional parameters. These are to allow flexibility in what is the primary authentication method and what (if any) fall back methods you wish to use.
  From user mode going to enable mode you could configure the router to use the enable password/enable secret or you can configure it to use radius. I believe that best practice is to use radius rather than the local enable password/enable secret.
  aaa authentication enable default group radius enable
  HTH
  Rick

• RSA Secure ID ACE/Server and gateway  IDM

  Hi all,
  we are trying to integrate and RSA server with IDM 6.0SP2.
  I do not understand this phrase on resource references doc.
  If SecurID is installed on Windows, the Identity Manager gateway must be running on
  the same system where the RSA ACE/Server is installed.it means that the gateway from RSA server must run on the same server where is running RSA ?
  Someone has integrated the appliance RSA installing on it the gateway ?
  Thanks,
  mazant

  The port should be 9278. Enable the gateway trace and see if it is logging anything to the trace file.

• SecureID / ACE Server different applications

  Dear all
  Is there a way to have more than one SecureId-Profile?
  We have a client asking for for different profiles while using a RSA ACE Server a login authority for example:
  PowerUsers: should have access to the full desktop and all applications
  StandardUsers: should have Outlook only in a seamless window
  Any ideas / help really appreciated....
  Thank you
  Support

  Found the solution. Problem was the acecInt.dll in the System32 folder was mismatching with the one in the RSA install folder. I copied the dll from the RSA install folder to the System32 and it started to work fine.
  The error i was getting was "Get file operation with no or unknown handle aborted".

• Remote Access using RSA ACE

  Please can anyone help me regarding getting a windows dialup user to get access to internal resourced once authentication to RSA ACE server has been successful.
  I have setup AAA authentication & authorization.
  I can get the user to authentication to the RSA ACE server but after authentication i cannot get authorization to work but it has been configured in the list.see below
  aaa authentication login default group tacacs+ local
  aaa authentication login ACE group radius local
  aaa authentication enable default group tacacs+ enable
  aaa authentication ppp ACE if-needed
  aaa authorization network ACE if-authenticated none
  aaa accounting commands 15 default start-stop group tacacs+
  interface Group-Async1
  description ** modem lines **
  ip unnumbered GigabitEthernet0/0
  encapsulation ppp
  ip route-cache policy
  dialer in-band
  dialer idle-timeout 600
  dialer-group 1
  autodetect encapsulation ppp
  async mode interactive
  peer default ip address pool DIALIN
  ppp authentication pap ms-chap ms-chap-v2 ACE
  ppp authorization ACE
  group-range 1/0 1/7
  line 1/0 1/7
  login authentication ACE
  modem InOut
  transport input all
  autoselect during-login
  autoselect ppp
  flowcontrol hardware
  the debug message i get is as follows
  AAA/AUTHOR (000000A3): Method list id=0 not configured. Skip author
  The username/password window on the client PC just sits there and then times out...
  Any help is welcome

  Under the group Async you have:
  interface Group-Async1
  ppp authorization ACE
  This line is normally not needed and I presume it is the cause of your trouble because there is no corresponding line in the aaa-section. This sample is from a working configuration:
  interface Group-Async1
  bandwidth 56
  ip unnumbered Loopback1
  encapsulation ppp
  ip tcp header-compression passive
  dialer in-band
  dialer idle-timeout 300
  dialer enable-timeout 8
  dialer-group 1
  async mode interactive
  peer default ip address pool ippool
  no keepalive
  ppp authentication chap pap
  group-range 65 76
  regards,
  Leo

• RSA SecureID ACE/Server 6.1.2 integration issue with IDM2005Q4M3

  I tried the SecureID adapter with the following steps:
  1.setup the idm gateway on SecureID Server
  2.copy SecureID's apidemon.exe to gateway.exe folder
  3.add the administrator on secureid server and use it on idm resource adapter
  4.run gateway.exe -d -fsso.log -l6
  5.configure the SecureID adapter resource and test configuration is ok
  6.add a rsa_test user on IDM, then assign the SecureID resource to the user
  before step 6 every thing is fine, but the step 6 cause the IDM hangup, nothing response from gateway.
  while I assign the user with SecureID resource in IDM, the gateway trace log print the trace log below and then hanged up:
  01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/securid/SecurIdExtension.cpp,1439): Enter: login
  01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/connect/RAEncryptor.cpp,69): RAEncryptor::Decrypt3DES: input length (8) moded to 1
  my environment:
  idm 2005Q4M3 on linux
  gateway: Sun Java System Identity Manager 6.0 SP1 HF82 on windows 2003 sp1
  RSA SecureID ACE/Server: 6.1.2 on windows 2003 sp1
  Any help on RSA SecureID ACE/Server 6.1.2 integration with IDM2005Q4M3 is greatly appreciated.
  Or anybody can send me some more docs on the integration process and the check point?
  My email: [email protected]
  Please help!
  Edited by: Brave on Jan 9, 2008 4:36 AM

  Found the solution. Problem was the acecInt.dll in the System32 folder was mismatching with the one in the RSA install folder. I copied the dll from the RSA install folder to the System32 and it started to work fine.
  The error i was getting was "Get file operation with no or unknown handle aborted".

• Not able to run a reconciliation from IDM on a the securID/ACE server UNIX

  I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
  Error iterating accounts for resource RES-User-RSA-Projects:
  com.waveset.util.WavesetException: Trouble constructing User 'null'
  Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
  Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
  SecurIdUnixResourceAdapter#getFeatures() Entryno args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getLoginScript() Entry no args
  SecurIdUnixResourceAdapter#getTclshPath() Entry no args
  SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
  SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
  SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
  SecurIdUnixResourceAdapter#getLoginScript() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
  SecurIdUnixResourceAdapter#procSetup() Entry no args
  SecurIdUnixResourceAdapter#procSetup() Exit void
  SecurIdUnixResourceAdapter#procTearDown() Entry no args
  SecurIdUnixResourceAdapter#procTearDown() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
  SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
  SecurIdUnixResourceAdapter#constructUser() Entry no args
  SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void

  Anybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!

• Secure ID Ace Server

  We are trying to configure SecurID ACE/Server for Windows (ACE Server version 6.0). We have followed the below steps.
  <ol><li>Installed the Sun IdM Gateway on the NT where the ACE Accounts are being created </li>
  <li>Copied the apidemon from the ACE/Server installation directory to c:\winnt\system32 </li>
  <li>RSA ACE Agent Host added. </li>
  </ol>
  When we check for the Test Configuration we get connection Timed out error with port 9278.
  And with the ports : 8098 java.io.EOFException: \n
  With port 8198 java.net.SocketException: Connection reset\n
  Please help us out with your ideas.
  Thanks
  Swarna

  The port should be 9278. Enable the gateway trace and see if it is logging anything to the trace file.

• ACS appliance -- AD -- RSA Securid Server

  I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.
  Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.
  But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.
  Here's more info:
  In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.
  In ACS appliance, remote agent was already pointed to AD.
  No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.
  How can I manage to configure RSA SecurID Token Server in my ACS appliance?

  Hello,
  The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml
  I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.
  ACS with ACE however works, though there were some nasty problems to be solved on the way to success.
  One thing to point out straight away also mentioned in the document mabove:
  Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:
  CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.
  This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:
  username: xxxx
  password: xxxx
  Password Authentication Protocol (PAP) is a better choice here.
  This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.
  Hope this helps! Please rate all posts.
  Regards, Martin

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• JAAS to RSA RADIUS Server

  I need to write a JAAS module that will validate passwords against an RSA RADIUS Server (via RSA's Authentication Manager).
  I'm not seeing the sort of api's I saw when I did a similar module for Siteminder, so a couple of questions:
  - Is there a Java API for RSA Authentication Manager? (I'm not finding one on their website or via Google)
  - If I need to use a RADIUS client what's the best (open source) choice?
  Thanks in advance-- Mike

  If I got your right, they provide you a RADIUS Server, so you don't need a special API. just go on sourceforge (www.sf.net) and try one of the available java radius client APIs to do the authentication as a proxy between your user and the RADIUS server.
  I wrote a very simple one back in 2001 for the authentication against a RADIUS server only and not a full implmenetation of standard, but I think now on sf you will find much more mature ones.

• Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

  Hello,
  What we are trying to do:
  John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
  We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
  We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
  Here is what we are seeing
  1. dynamic vlan assignment is not working -- radius server is set with the attributes
  2. RSA authentication works
  3. John and Mary are always put into the VLAN where the MGMT interface is
  4. I can see that attributes are making it back to the WLC by sniffing
  We are stuck at this point. Any help would be much appreciated,
  P.

  Here is a little more background:
  We have created a dynamic interface in VLAN 157
  Wireless LAN has been assigned to MGMT interface which is on VLAN 35
  This is a VWLC ver 7.4.100
  AP is attached to VWLC (only FlexConnect mode is supported)
  RADIUS Server has been configured
  Users are getting assigned to VLAN 35
  Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
  I dont see any atttributes in the capture when RSA sends to the VWLC
  I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
  And to answer your question we have sending a VLAN ID (157)