RSA and SPNEGO
Hi -
As part of one of our projects - We actually configured RSA authentication using the SI JAAS Module in the EP 7.0 Environment- and it worked successfully. Now, as next step, we are trying to configure the Portal for Single Sign On within the Network - via SPNEGO. Do you forsee any issues/customization or will it work without glitches? Any suggestions?
Let me know.
Thanks.
Mayur,
If you construct the JAAS stack correctly, you should be fine.
You probably want:
EvaluateTicket - sufficient
SPNEGO - optional
CreateTicket - sufficient
RSA - optional
CreateTicket - sufficient
Basic - Requisite
CreateTicket - optional
The idea here is that CreateTicket only succeeds if there is a valid user in the context - so having CreateTicket as sufficient down the stack means that as soon as one of the (optional) modules above populates a valid user, a ticket is created and the stack is exited, all the way down to the usual Basic/CreateTicket pair at the bottom, which is your fallback username/password authentication.
Hope this helps,
Darren
<a href="http://www.fortybeans.com/">Read my blog</a>
Similar Messages
-
hi,
Someone know if there is some problem with RSA and the card "Cyberflex 64 ko"? because when I try to use RSA 1024 bit with this card, it return 6F00.
I think the problem is on this line:
KeyPair pairDeCle = new KeyPair(KeyPair.ALG_RSA, KeyBuilder.LENGTH_RSA_1024);The same applet, (same .cap) works with my other card. (In the card specification they say we can use the card with RSA 1024 or 2048 bit)
regards
nicomy applet: (it is the same code of the post "RSA && contactless" with try/catch in addition)
package fr.moneo_RSA_Biometrie;
import org.javacardforum.javacard.biometry.SharedBioTemplate;
//import fr.alex.biometry.SharedBioTemplate;
import javacard.framework.AID;
import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISOException;
import javacard.framework.ISO7816;
import javacard.framework.JCSystem;
import javacard.framework.OwnerPIN;
import javacard.security.DESKey;
import javacard.security.CryptoException;
import javacard.security.KeyBuilder;
import javacard.security.KeyPair;
import javacard.security.RSAPrivateKey;
import javacard.security.RSAPublicKey;
import javacardx.crypto.Cipher;
public class Application_moneo_RSA_biometrie extends Applet {
final byte CLA_MONAPPLET = (byte) 0xB0;
final byte INS_INCREMENTER_COMPTEUR = 0x00;
final byte INS_DECREMENTER_COMPTEUR = 0x01;
final byte INS_INTERROGER_COMPTEUR = 0x02;
final byte INS_INITIALISER_COMPTEUR = 0x03;
final byte INS_SAISIR_CODE = 0x04;
final byte INS_CRYPTO = 0x05;
final byte INS_INIT = 0x06;
private boolean flagCrypto = false;
Cipher ecipher;
private DESKey key;
KeyPair pairDeCle;
public OwnerPIN pin;
private byte[] pinBon = {0x31,0x30,0x30,0x30};
private RSAPublicKey clePublic;
private RSAPrivateKey clePrive;
private byte[] Crypto;
private byte compteur;
private AID bioServerAID;
SharedBioTemplate bioImpl;
private static final byte[] BIO_SERVER_AID = {(byte)0x01, (byte)0x02, (byte)0x03,(byte)0x04, (byte)0x05, (byte)0x06,(byte)0x07, (byte)0x08, (byte)0x07,(byte)0x06, (byte)0x05, (byte)0x04};
public Application_moneo_RSA_biometrie() {
compteur = 5;
pin = new OwnerPIN((byte)2, (byte)4);
pin.update(pinBon, (short)0, (byte)4);
public static void install(byte bArray[], short bOffset, byte bLength)
throws ISOException {
new Application_moneo_RSA_biometrie().register();
public void process(APDU apdu) throws ISOException {
byte[] buffer = apdu.getBuffer();
if (this.selectingApplet()){
initialisation();
bioServerAID = JCSystem.lookupAID(BIO_SERVER_AID,(short)0,(byte)BIO_SERVER_AID.length);
bioImpl = (SharedBioTemplate) JCSystem.getAppletShareableInterfaceObject(bioServerAID,(byte)0);
apdu.setOutgoing();
apdu.setOutgoingLength((short)Crypto.length);
apdu.sendBytesLong(Crypto,(short) 0, (short) Crypto.length);
return;
if (buffer[ISO7816.OFFSET_CLA] != CLA_MONAPPLET) {
ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);
switch (buffer[ISO7816.OFFSET_INS]) {
case INS_INIT:
break;
case INS_SAISIR_CODE:
byte byteRead = (byte) apdu.setIncomingAndReceive();
byte[] partieAdecrypter = RecupererPartieDeAPDU(apdu.getBuffer(), (short)5, (short)byteRead);
byte[] derypt = decrypter(partieAdecrypter);
short u =0;
for(short i = 5; i<9; i++){
buffer[i] = derypt[u];
u++;
short result = bioImpl.match(buffer,(short) 5, (short) 4);
if (!bioImpl.isValidated()){
ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
break;
case INS_INCREMENTER_COMPTEUR:
if (bioImpl.isValidated())
compteur++;
else {
ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
break;
case INS_DECREMENTER_COMPTEUR:
if (bioImpl.isValidated())
compteur--;
else {
ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
break;
case INS_INTERROGER_COMPTEUR:
if (bioImpl.isValidated()){
byte[] valeur = new byte [2];
valeur[0] = compteur;
apdu.setOutgoing();
apdu.setOutgoingLength((short)valeur.length);
apdu.sendBytesLong(valeur,(short) 0, (short) valeur.length);
}else {
ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
break;
case INS_INITIALISER_COMPTEUR:
if (bioImpl.isValidated())
apdu.setIncomingAndReceive();
compteur = buffer[ISO7816.OFFSET_CDATA];
else {
ISOException.throwIt(ISO7816.SW_SECURITY_STATUS_NOT_SATISFIED);
break;
default:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
public byte[] RecupererPartieDeAPDU(byte[] tableauReference, short offset, short length){
byte[] copieTableau = new byte[length];
short u =0;
for (short i= offset; i<(short)(offset+length); i++){
copieTableau[u]=tableauReference;
u = (short)(u + 1);
return copieTableau;
public void initialisation(){
try{
pairDeCle = new KeyPair(KeyPair.ALG_RSA, KeyBuilder.LENGTH_RSA_1024);
} catch (CryptoException e){
ISOException.throwIt((short) e.ILLEGAL_USE);
ISOException.throwIt((short) e.ILLEGAL_VALUE);
ISOException.throwIt((short) e.INVALID_INIT);
ISOException.throwIt((short) e.NO_SUCH_ALGORITHM);
ISOException.throwIt((short) e.UNINITIALIZED_KEY);
} catch (Exception e){
ISOException.throwIt((short)4000);
pairDeCle.genKeyPair();
clePublic = (RSAPublicKey) pairDeCle.getPublic();
clePrive = (RSAPrivateKey) pairDeCle.getPrivate();
byte[] buffer1 = new byte[1024];
short tailleExponent = clePublic.getExponent(buffer1, (short)0);
byte[] exponent = new byte[tailleExponent];
clePublic.getExponent(exponent, (short)0);
byte[] buffer2 = new byte[512];
short tailleModulus = clePublic.getModulus(buffer2, (short)0);
byte[] modulus = new byte[tailleModulus];
clePublic.getModulus(modulus, (short)0);
byte[] positif = new byte[1];
positif[0] = (byte)0x00;
byte[] moduluspositif = concatener(positif, modulus, (short)0, (short)modulus.length);
byte[] sizeExp = new byte[1];
byte[] sizemodulus = new byte[1];
sizeExp[0] = (byte)exponent.length;
sizemodulus[0] = (byte)moduluspositif.length;
byte[] tailleAndExp = concatener(sizeExp, exponent, (short)0, (short)exponent.length);
byte[] tailleAndmodulus = concatener(sizemodulus, moduluspositif, (short)0, (short)moduluspositif.length);
Crypto = concatener(tailleAndExp, tailleAndmodulus, (short)0, (short)tailleAndmodulus.length);
public byte[] concatener(byte[] tableRef, byte[] tabACopier, short offset, short lenght){
byte [] newTab = new byte[(short)(tableRef.length + lenght)];
for(short o = 0; o < (short)tableRef.length; o++){
newTab[o] = tableRef[o];
short u = 0;
for(short i = (short) tableRef.length; i < (short)(tableRef.length + lenght); i++){
newTab[i] = tabACopier;
u = (short)(u + 1 + offset);
return newTab;
public byte[] recuperDonnee(APDU apdu){
byte[] buf = apdu.getBuffer();
short lc = apdu.setIncomingAndReceive();
byte[] data = new byte[lc];
short u =0;
for(short i = 5; i<(short)(5+lc);i++){
data[u] = buf;
u = (short) (u+1);
return data;
public byte[] decrypter(byte[] data ){
Cipher cipher = Cipher.getInstance(Cipher.ALG_RSA_PKCS1, false);
cipher.init(clePrive,Cipher.MODE_DECRYPT);
byte[] donneDecrypt = new byte[(short)data.length];
cipher.doFinal(data, (short)0, (short)data.length, donneDecrypt, (short)0);
return donneDecrypt; -
I wan trying to do sso for Oracle UCM 11g which uses weblogic 10.3.4 using Kerberos and SPNEGO as stated in Oracle documentation
I followed all steps on the following links
http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/sso.htm#i1102021
and
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e10792/c03_security.htm#CDDDIHBA
My issue is strange there are no error no exception and SSO not working even if I added wrong info to krb5.conf or krb5login.conf, I have created JAAS configuration file, and I have specified krb5login.conf file location as a startup option in the WebLogic where I have added the following to startWeblogic.sh
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
what do you think I am facing here???Hi,
Apply SAP Note 1045019 (Example 3) and provide for analysis the errors (in red) from the collected traces.
Regards,
Dimitar -
No luck with RSA and existing cert
I want to encrypt data in my software, data which will be sent to me by the user, in such a way that only I can decrypt it. This seems to call for asymmetric encryption (only the public key would be embedded in the software), so I am trying to use RSA.
Specifically I am trying to encrypt and decrypt data using the key pairs found in a cert that we bought from a cert authority. The cert says that key is a "Sun RSA public key, 1024 bits". In the following test, I encrypt using the cert's public key and decrypt using the same, for want of a method to return the private key but the results are the same if I initialize the cipher for decryption with the cert itself (which presumably contains the private key).
Key key = cert.getPublicKey();
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] enc = cipher.doFinal(test.getBytes());
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] dec = cipher.doFinal(enc);but at the decyrption stage I get the following error:
Exception in thread "main" javax.crypto.BadPaddingException: Data must start with zero.which I don't know what to make of. It seems to me that I am following the (rather scant) instructions to the letter. If I specify "RSA/ECB/NoPadding" as the transformation I don't get the above error but the roundtrip fails to recreate the original string.
Furthermore, as I said before, I wanted to use public key encryption because I must include the encryption key in the software and I do not want it to be sufficient to decrypt the cipher. I was hoping that with RSA you'd encrypt using the public key but that you'd need either the secret key or the whole cert to decrypt. However the Javadocs do not say so explicitely and I am left unsure as to how this works exactly. Can anyone shed some light?I agree, the documentation is inadequate. Have you also looked at the JCE reference (http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html)? This expands a lot on the javadocs for the classes. It might also help to learn more about cryptography; one book that others recommend is "Practical Cryptography" by Ferguson and Schneier.
I think the one key misunderstanding you have is what is in a certificate. A certificate contains only the public key, some information about the identity of the owner of the private key, and a digital signature over this public key and identifying information. The private key is not in the certificate! Nor should it be. If it were, it would no longer be private and the security of the system would fall apart.
The location of the private key depends entirely on the application that created the key pair. java's keytool, for example, stores the private key in a password protected file.
The error you are seeing makes sense once you understand that , for an RSA cipher, the type of key, public or private, as well as the mode Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE, determine the interpretation of the subsequent update or doFinal method calls.
Thus in your example, your first call to cipher.doFinal gives the RSA encryption of the data, which is what you wanted. Your second, however, attempts to decrypt this encrypted data with the public key, which makes no sense in this context. It checks to see if the result is has the proper padding, which it does not. If you tell it to assume no padding, you won't get an exception but the result still won't make any sense. You need to init the cipher with the private key for the second part. -
VPN Login first with RSA and then AD?
I've run in to a situation I hadn't considered when we stood up our RSA 2-factor authentication for VPN. We use AnyConnect clients to hit our Cisco VPN concentrators which then passes off authentication responsibilities to ISE and ISE knows which Identity Store to use based on where the authentication request is coming from and what group(s) a person belongs to.
We now have a service provider that that will reach right in to a product they manage for us when we call and say there is a problem. However, the tech/engineer assigned to the issue could be one of many from their pool of available resources. The service provider only wants 1 token which will be "locked up" and the PIN "locked up" separately as well so when we report a problem they can connect and resolve it.
I won't issue a single token to them because they are associated with AD accounts but I could create a generic account local to RSA they could authenticate against if they could then auth with their AD creds before connecting.
So my question is has anyone done this? Is it possible to have AnyConnect ask for SecurID authentication and then come back with a prompt for AD authentication?
ThanksHi Darren,
should be no problem, using double authentication:
aaa-server myLDAP protocol ldap
aaa-server myRSA protocol sdi
tunnel-group foo general-attributes
authentication-server-group myRSA
secondary-authentication-server-group myLDAP [use-primary-username]
This will prompt for 2 usernames & 2 passwords, unless you add "use-primary-username" but I guess in your case you do need 2 different usernames.
hth
Herbert -
Hi ,
We are using EP 7.0 EHP 1 portal for couple of purpose.
1) Anonymous Webpage composer site for intranet information portal purpose
2) SPNego SSO configured portal for ESS/MSS access.
Now the problem is when the users are accessing the anonymous portal url (http:hostname:port/irj/portal/anonymous it is actually does SPNego to the user and they get logged on to portal to see ESS/MSS roles.
I am not sure why launching the anonymous url does SPNego SSO. any clue on this?
Thanks,
SivaHi Simon,
Yes we have the default anonymous portal url as http://<portal_hostname>/irj/portal/anonymous.
The KDC is configured to issue a token for <portal_hostname>. So you mean to say because of this, the use gets the token when they logon to network and even if they access the anonymous url, they would be logged on to portal automatically?
Should i change the hostname for anonymous url like http://anonymous_hostname/irj/portal/anonymous ? will it would solve the problem.
Thanks,
Siva -
Robert,
In a previous post you said,
"I've said this elsewhere on this forum, but in case you missed it, in certain
cases you might be forced to implement a servlet filter rather than use the SSPIs.
My case was using identity assertion with SPNEGO where you need to send back a
response to the browser which in turn sends back a token to the server."
Could you please explain how do we do SSPI for SPNEGO? I have a requirement where
we need to pass the credentials from WL portal to IIS server to access content
on IIS. Right now, as a temporary solution, we are doing https://uid:[email protected]
I am new to security and JAAS. If you could please give me pointers to accomplish
this in a cleaner way, I would really appreciate it.
Thanks,
AdamRobert,
Thats really awesome. Can we get this discussion offline from here? Could you
please e-mail me at [email protected]?
Thanks,
Adam
Robert Greig <[email protected]> wrote:
Adam Gilchrist wrote:
Robert,
In a previous post you said,
"I've said this elsewhere on this forum, but in case you missed it,in certain
cases you might be forced to implement a servlet filter rather thanuse the SSPIs.
My case was using identity assertion with SPNEGO where you need tosend back a
response to the browser which in turn sends back a token to the server."
Could you please explain how do we do SSPI for SPNEGO? I have a requirementwhere
we need to pass the credentials from WL portal to IIS server to accesscontent
on IIS. Right now, as a temporary solution, we are doing https://uid:[email protected]@mydomain.com.
First, here's how to do it in the "standard" web browser case (IE client
talking to WLS).
1) Don't use the WLS SSPIs. You don't have access to the http response
therefore it is not easy (perhaps not possible although maybe there are
evil hacks that I haven't come up with!).
2) Download the SPNEGO RFC. You'll need an ASN parser (unless you want
to do the encoding manually - I don't recommend that unless you're
familiar with ASN). Create an SPNEGO grammar your parser can understand
and generate java code from the grammar. I used the cryptix parser (open
source) but note that it had some bugs I had to fix first.
3) Write a servlet filter. It should send back 403 responses in order
to
get the base 64 encoded SPNEGO token (see the RFC for details). When
you
have a token, get the GSS initial context token from it and use the
GSSAPI to validate it. Then send back the appropriate response, having
put the appropriate details into the session so you don't have to
perform this for every request!
Second - I plan on open sourcing what I have done and writing an article
on it. Maybe I'm just sad and lonely but I certainly found it
interesting to do (having never done anything in this area before) and
I
found that it was not an area that is either mature or well documented.
This might be of some use to you. I am currently trying to get
permission from my employer to do this (I work for an investment bank
hence this is not entirely straightforward but I do now have agreement
in principle).
Third - to cover your case. You need to create an SPNEGO initial context
token (see the spec for details). This should be quite easy once you
have the ASN parser (just use the GSSAPI to get the underlying context
token). You will have to implement SPNEGO from a client-side perspective
however that should be easy (expect a 403 response from the server, then
put in the base 64 encoded SPNEGO token into a particular request header).
I am new to security and JAAS. If you could please give me pointersto accomplish
this in a cleaner way, I would really appreciate it.Do you need to use SPNEGO here? If you can write an ASP page to service
all requests then so long as you are happy using HTTPS you could put
the
username into a POST parameter. Or must you directly access the content
without going through an intermediary page? If direct username isn't
possible then you could even just ignore SPNEGO and put in the base 64
intial context token (which you can process using the Windows SSPI APIs).
I hope this is of some use to you.
Robert -
what needs to be done for sapwebdispatcher to work with spnego? we've done setspn for webdispatcher host, but it prompted us to login to webdispatcher server. Do we need to change any configuration in UME or j2ee engine?
Thanks
JaneHi
For using SPNEGO through a SAP webdispatcher you only need to create a SPN for the webdispatcher host like "setspn -A http/<webdisp-host> <j2ee-user>".
The <webdisp-host> must be FQDN like "host.domain.com" and the <j2ee-user> should be the J2EE service user created when configuring SPNEGO/kerberos for J2EE.
BR
Tom Bo -
Hi,
we already use the Netweaver Gateway to provide some OData services.
These services are consumed by some 3rd party software components.
To authenticate the user at the Gateway, these applications are using the SPNEGO authentication mechanism.
Now I wanted to start to develop my first UI5 app. Of course I'd like to consume the OData services from our existing gateway installation.
The main problem that I'm currently facing is, that I don't know how to use Single Sign On (based on Kerberos tickets) to consume the gateway services from an UI5 app. I would like to use SPNEGO but I didn't find any information on how to implement SPNEGO in an UI5 app.
Can you please provide me some information (or even some code snippets) on how to use SPNEGO authentication from an UI5 app!?!?
Thanks in advance
HolgerHi Michael,
Thanks for that. My opinion of secondary authentication is the same, but hey ho. The client insists. I think the main iview is the payslip iview, so it is on the same server as the portal.
My thinking was that as form based logon uses com.sap.portal.runtime.logon.certlogon and basic authentication uses com.sap.portal.runtime.logon.basicauthentication they could have different priorities set in authschemes.xml and consequently it asks for secondary authentication. However, I see your point that they are both in the ticket logon stack.
Paul -
I'm tryin to rebuild our VPN environment with a pair of 5520. WE're going to use Anyconnect mobility exclusively with SSL. No IPSec and no SSL Webvpn.
We have a large number of contractors using the VPN to access specific internal resources so I would like to use different IP subnets for each contractor assigned through group policy. I don't want to have a different URL for each contractor so I want to assign the group policy through LDAP group memebership. However, primary authentication will be via RSA 2 factor.
How do I get the ASA to check group membership and hense assign the right group when primary authentication is through RSA?
Thanks for any help.yes you can do the Authentication to an RSA server and the Authorization to the LDAP server.
Please configure LDAP as an authorization server.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Do let me know how it goes.
~BR
Jatin Katyal
**Do rate helpful posts** -
How to apply RSA and MD5 on my data?
Hello everyone...I am a college Student and I have a project two clients connected with server one of them by socket and another by RMI
and I have been asked to apply CIA (confidentiality, integrity, availability) I know algorithms of cryptograpghy and authnication but I need a hint
how to use these algorithms ...if there is a class to do this or a simple lesson how to encrypt and decrypt (code) I will be thankfull
Best regardsOne of the most useful books you will find on the subject of Java cryptography is David Hook's "Beginning Cryptography with Java" (WROX). I would recommend you borrow this from your school/public library or buy it and study it; it will be one of the better investments you will make in your education, Gary Wolf. Good luck.
-
Compability problem with Java and Python RSA algorithm implementation
I have client server application. Server is writtein in python, client in java. Client receives messages from server encrypted with RSA (http://stuvel.eu/rsa), and I'm unable to decrypt it. It seems that this is RSA algorithm compatibility problem. I'm using algorithm from java.security package, instatinating Cipher object like this: c = Cipher.getInstance("RSA"); . I noticed that this algorithm produces for input blocks of lengtrh <=117 ouput block of length 128. Server I guess uses the most triviall impelentation of RSA ( (1 byte is encrypted to 1 byte) So i want to make my java algorithm compatibile with this one which server uses. How to do that ? Do i have to instatinate Cipher object in different way ? Or use another library ?
azedor wrote:
First you said it was no good because it could only handle <= 117 byte inputs, now you say it is no good because it produces a 128-byte output. You're not making sense.First i said that this two RSA implementations are not compatibile, and first reason i noticed firstly is that Python imlementation for input of length N produces cryptogram of the same length. Not true. In general, the RSA encryption of any number of bytes less than the length of the modulus will produce a result of length near that of the modulus. When N is less than the length of the modulus, it is rare that N bytes of cleartext produces N bytes of ciphertext.
Java implementation for data block of length <=117 produces alwasy 128 bytes of output.Pretty much correct and very much desirable. This is primarily a function of the PKCS1 padding which is used to solve two basic problems. First, as I alluded to in my first response, it is the nature of the algorithm that leading zeros are not preserved and second when the cleartext is very small (a few bytes) the exponentiation does not roll over and it is easy to decrypt the result. Both these problems are addressed by PKCS1 padding.
>
>
After what sabre150 said i think of giving up idea of translating Python code to Java and considering to use another assymetric cryptography algorithms on both sides. Can you recommend me sth what should be compatibile with Python ?This seems to be at odds with your statement in reply #3 "Also have acces only to client code so i have to change sth in java." ! This statement is why I said "I suspect ... you have dug a deep hole".
In your position I would use the Python bindings for openssl. Once more, Google is your friend. -
Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design
Hi,
Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access. We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE. And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure. And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password. I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design? Any potential issue may break the flow?
Thanks in advance for any input!
TinaHi,
I have an update for this quite broad question.
I have now came a bit further on the path.
Now the needed Radius Access Attribute are available in ISE after adding them in
"Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
With that I could really see the attributes in the radius access requests going in to the ASA.
Now looking at a request in "Radius Authentication details" I have
Other Attributes:
ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
What could it be I have missed?
Best regards
/Mattias -
ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP
Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
I have come up with bunch of incompatibilities between the offered support e.g.
1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.Hi,
We have tried to do the exact same setup as you and we also failed.
When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
A list with EAP protocols supported by the RSA is in attach.
Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
table "EAP Authentication Protocol and User Database Compatibility "
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy. -
Integration between Cisco RADIUS and RSA
Ciao. I need some help to configure the RADIUS, activating the RSA "NEXT TOKEN CODE" feature. Can you help me?
If you have maintenance with RSA or your product is license, you can contact their support and they can give a step-by-step guide in PDF.
I've done similar using RSA and RADIUS for network staff login to all Cisco network devices using a token. The step-by-step guide provided by their support is very helpful.
Maybe you are looking for
-
Why is the audio messed up when I import a trimmed video from my iPhone to iMovie?
Hi, well i've been having this problem and it would be great if somebody could help me with it. So I imported a clip from my iPhone 4S to my iMac in iMovie and the audio is all messed up. It's way to fast and at the end of the clip there's no sound a
-
Cant access files from Mavericks Partition
I have OS X Lion and Mavericks installed on the one SSD of my MBP. I want to access my music, pictures, movies and so fourth from my Mavericks Partition on my Lion one. But whenever I goto the Mavericks partition folder there are all these small stop
-
How do I download a free Adobe Reader?
I received a notice to download Adobe Reader XI. I foolishly thought it was an upgrade and deleted my Adobe 5.0. I cannot open the XI and now have no pdf reader.
-
How to fix these two problems when submitting my app by Xcode 4.2.1?
The first problem is: The Bundle ID com.senausenau.ABC102011 definded in you Xcode Project does not mathc the Bundle ID that you entered for this app in iTunes Connnect ABC102011.com.senausenau. The second problem is: Application failed codesign veri
-
Avchd video file made with Premiere Elements 8 won't fast forward or reward
I just finished an AVCHD video project in Premiere 8 and I can't fast forward or rewind the file on my computer with Windows Media Player or in Windows Media Center. The file plays nicelly but it's annoying watch it from start to finish for 45 minute