LEAP, ACS and RSA token Card

Similar Messages

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• ISE and RSA token groups

  We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
  Axxxx, the other Bxxxx.
  Now we try to differ the authentications for the two group. One permit, the other deny.
  I am wondering whether the ISE can do this or not.
  thanks,
  Han

  ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

• ACS and RSA

  Not sure if this is the right are but here it goes.  I have a ACS server which uses a RSA server to perform authentication.  I want to test a 2nd RSA server with the same ACS server but as far as I can tell I can only have one RSA server as an external DB.  Is there a way to create 2 seperate RSA servers?

  To the best of my knowledge, if you are willing to edit/modify/create a list of users in ACS, each using SDI as an external authentication method, then you can edit/modify the group mappings/membership for each user in the ACS database. HTH

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• ACS with RSA for privilege level 'enable' authentication

  Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
  Are there any tricks to this?
  Thanks in advance!

  David
  Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
  Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
  HTH
  Rick

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• EAP-TTLS with GTC (Generic Token Card)

  Greetings iPad Forum,
  Our corporate wireless is currently setup to use EAP-TTLS with EAP-GTC (Generic Token Card) for inner identity. In other words, once a connection to the AP is initiated from a PC or Mac, the user is prompted for their RSA SecurID Passcode. No such luck on the iPad - it thinks that the AP is using TLS and wants a Certificate instead of a Token.
  As a next step, I started playing with the iPhone Configuration Utility. It is possible to manually specify that the AP is using EAP-TTLS, but I see that EAP-GTC is not an inner identity option - only the *AP methods (PAP, CHAP, etc.).
  Has anyone successfully connected to a Wifi network requiring EAP-GTC? I know that Tokens are supported for VPN, but not Wifi?

  Keep playing with the iPCU. EAP-GTC with one-time password needs to be configured using a mobile configuration containing the WiFi payload. If configured on-device, iOS will continue to use the cached password causing account lockout.
  For (a little) more information see: http://www.enterpriseios.com/wiki/Enterprise_Integration

• Router login with RSA token

  Is there any way to secure the logining process of a router using RSA token?
  And how to do that.
  Thank you!
  Regards.

  You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
  So the configuration of the router is pretty straightforward:
  aaa authentication login default group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
  HTH
  Rick

• DES and RSA test applet

  Hello all,
  I have to test DES and RSA with some Java Card, but I have NO idea with it.
  Is there any sample applets or any good site to learn it?
  If I can have applet files, that will be great.
  Thanks a lot,
  Julie.

  This could be an issue, for example, if there is a card that doesn't implement javacardx.crypto. Creating Cipher myCipher as a member variable would throw an exception if it's not implemented on the card. This ultimatly will prevent it from being loaded.
  Take your CAP file and try to load it with the reference implementation and you'll see what I mean. Also, try to compile, and generate a CAP file outside the JCOP IDE environment. You'll see what ticks me off about the Sun kit. It would still generate the CAP file. BUT crypto isn't implemented in the Sun Kit. It should kick out an export not found message.
  Discarding objects aren't needed because, if you notice, the JC uses a facade design pattern for the crypto implementations to assure only one instance is created. That's the getInstance() methods.

• SecurID Token Cards

  Please do let me know if this is possible:
  The client-browsers need to access the oracle 9i AS and then 9i DB using SecurID
  Token Cards over ssl. The ssl layer is between the browser and the 9iAS. So do I need ASO to use the SecurID
  Token Cards.
  Our applications are written in jsp and servlets/html forms etc.
  Appreciate if you could provide me with the details... The Oracle 9i security admin manual is not very clear on this:

  Hello,
  I have the same problem. Is any solution ?
  Thank for advice.

• SSLVPN with RSA TOKEN

  Hi
  Does the firewall support ssl vpn with RSA token concept with below mentioned license
  Current remote acesss vpn is configured .If yes what are the changed reguired?
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled

  according to me, you will need a AAA server to communicate with the RSA key server. like below:
  Cisco ASA ---> ACS ---> RSA Server
  the license is fine.
  this is the guide for setup   http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

• Lost connection between ACS and AD

  Hi
  I'm having a trouble with authentication to my WLAN. We are running a solution with LEAP and ACS 3.0 which gets it's users from our Active Directory. During the summer our ACS-servers seems to have lost the AD-connection and I'm no longer able to EAP-authenticate. All I get in the ACS is "Radius extension DLL rejected user".
  The AD and the ACS are on the same network but not on the same machine. I can log in if I add a local user in the ACS. I've also tried to empty my cached user database in the ACS but to no avail.
  One theory of mine is that it has something to do with a couple och hotfixes that Microsoft released in the middle of July.
  T.I.A
  /Tommy

  Hi
  Thanks for your replies. An update on the issue:
  I've gone through the issues in the suggestion made by cisco in the link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml
  but to no avail.
  At first we could se an error in the eventlog stating that the user didn't have sufficient rights but it disapeared when we created an account and ran the ACS-services via it.
  After that we tried to set up a local user in the ACS and it works like a charm even then the AD-accounts can't connect.
  We also tried to remove the hotfixes released by Microsoft but still nothing.
  Right now it seems as if the AD authenticates the user correctly but then the ACS says no. Here's the eventlog and the corresponding ACS-log.
  NT
  AUTH 08/19/2004 08:20:27 I 0266 1524 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [LINEDU\gustomedu]
  AUTH 08/19/2004 08:20:27 I 0266 1524 External DB [NTAuthenDLL.dll]: Attempting NT/2000 authentication
  AUTH 08/19/2004 08:20:27 I 0266 1524 External DB [NTAuthenDLL.dll]: NT/2000 authentication SUCCESSFUL (by METIS)
  AUTH 08/19/2004 08:20:27 E 0266 1524 External DB [NTAuthenDLL.dll]: LookupAccountSidA failed
  ACS
  08/19/2004 08:20:27 Authen failed LINEDU\gustomedu Default Group 000a8aa291a8 Radius extension DLL rejected user .. .. 37 148.136.120.30
  The status right now is that it is working as long as we restart the ACS-server once a day.
  Tommy

• Unsucessful ACS to RADIUS token server exchange

  Hello team:
  We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
  When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
  In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
  (1) Framed-IP = 255.255.255.255
  (2) Class = 0x434143533a302f356662622f37663030303030312f31383133
  We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
  So we are missing something.
  ¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
  thank you very much in advance
  Rogelio Alvez
  Argentina

  Thanks for the interest Tarik!
  Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
  ACS Debug from a terminal monitor
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
  2w1d: AAA/AUTHEN (4096347873): status = GETUSER
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: RADIUS: ustruct sharecount=1
  2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
  2w1d:         Attribute 4 6 C0A800CB
  2w1d:         Attribute 5 6 00000007
  2w1d:         Attribute 61 6 00000005
  2w1d:         Attribute 1 15 63616D61
  2w1d:         Attribute 31 15 3139322E
  2w1d:         Attribute 2 18 893A4B64
  2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
  2w1d:         Attribute 18 12 52656A65
  2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
  2w1d: AAA/AUTHEN (4096347873): status = FAIL
  2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
  2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
  2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
  2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
  2w1d: AAA/AUTHEN/START (2072451976): found list pepe
  2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
  2w1d: AAA/AUTHEN (2072451976): status = GETUSER
  Freeradius Debug
  rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
      User-Name = "camara/829113"
      NAS-IP-Address = 192.168.0.3
      NAS-Port = 6372
      NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
      User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
  # Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
  +- entering group authorize {...}
  ++[preprocess] returns ok
  [auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
  ++[auth_log] returns ok
  [IPASS] Looking up realm "camara" for User-Name = "camara/829113"
  [IPASS] Found realm "DEFAULT"
  [IPASS] Adding Stripped-User-Name = "829113"
  [IPASS] Adding Realm = "DEFAULT"
  [IPASS] Authentication realm is LOCAL.
  ++[IPASS] returns ok
  [suffix] Request already proxied.  Ignoring.
  ++[suffix] returns ok
  ++[files] returns noop
  ++[control] returns noop
  rlm_perl: Response: 201: Succeeded
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
  ++[expiration] returns noop
  ++[logintime] returns noop
  Found Auth-Type = Perl
  # Executing group from file /etc/freeradius/sites-enabled/vuserver
  +- entering group Perl {...}
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
    WARNING: Empty post-auth section.  Using default return values.
  # Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
  Sending Access-Accept of id 23 to 192.168.0.3 port 3912
      Framed-IP-Address = 255.255.255.255
      Class = 0x434143533a302f3265662f37663030303030312f31383133
  Finished request 3.
  Going to the next request
  Waking up in 4.9 seconds.
  Cleaning up request 3 ID 23 with timestamp +575
  Ready to process requests.
  Inside the file archive.zip you`ll find
  cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
  captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
  If you need more information or output please let me know.
  Rogelio