RSA authentication MGR 8
Hi all,
I'm wondering if RSA Authentication manager 8 is supported on Cisco 5520 running 8.4?
Thanks
It's little late to reply but let's see where this issue stands.
If it is still unresolved, can we check the "debug radius" and "debug aaa authentication" for an attempt.
Also, do you see any hits on the RSA auth manager. Please share what doc you followed to setup the same.
~BR
Jatin Katyal
**Do rate helpful posts**
Similar Messages
-
In RSA Authentication Manager 7.1, how create multiple security domains
Hi,
RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
thanksI think what you need to do is create an identity sequence with RSA as the selection in
Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service -
RSA authentication with LDAP group mapping
Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott -
Need help for connecting in an RSA authentication agent
i am not sure if this is the right place but i was hoping i am lucky enough for someone with knowledge about rsa or somebody who has experience in developing security pages.
my problem is something like this, simple, how do i connect to an RSA Authentication Agent, or RSA Authentication Manager.
i was hoping you could paste an answer or paste an web address of a forum.
this kind of question is very rare in forums, so i don't really have much choice. any relevant answers are appreciated...
thank youHi,
What is the gateway used by Solaris. Please send the result of ifconfig -a on the Sun OS.
Sunil. -
ASA5540 ver.7.2(2) RSA Authentication Manager 7.1
Good evening,
I'm searching documentation to verify if my ASA appliance support as RADIUS Server, the solution RSA Authentication Manager 7.1.
I assumed which with RADIUS Server authentication support provide by ASA software, is possible.
I've find also an a RSA SecureID Implementation Guide that I'm attached; in this document you should read about solution in conjuction with ASA ver.7.0.1 and RSA Authentication Manager 6.1
I'm verifing to don't have problem in future with compatibility between twe two brands.
Any information, link, or user guide are welcomed!
Cheers
Davide Sacca'According to the ASA 8.0 documentation
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1057621
SDI Version Support
The security appliance supports SDI Version 5.0 and 6.0.
If you configure the RSA device as a SDI, you may have issues getting support as 7.x is unsupported. If RSA device is configured as a RADIUS device, you should not have a problem. -
Best Way To Setup SGD With RSA Authentication
At the moment, I've got RSA Authentication working with SGD 4.60-911. Now under my setup, I've manually created a user profile and assigned a couple of Terminal Server sessions to it and everything is working. I'm not sure if this is the best or, more importantly, the most efficient way to be setting up users for SGD use.
Is it possible to still have RSA Authentication in place and also have the SGD users profile being accessible from AD/LDAP queries? What I'm thinking is that I could set up a SGD "dial-in" group within AD and assign the users to it, again within AD. I could then assign the applications to that group within SGD and hence filter this down to the individual users. This would stop me having to create a SGD user profile for every user we want to access SGD.
Hope this makes sense.
TIA.The thing to understand about what Arno suggests is that the SecurID profile is not used at all.
With third-party authentication, there are two stages: authentication (nothing to do with SGD) and search for an identity and profile (perfomed by SGD).
Arno's posting tells you about the authentication set-up, and by the way, this is definitely the way to go because of the announcement here http://docs.sun.com/source/821-1928/z40000061616182.html
The result of the authentication stage is a username, usually stored in the REMOTE_USER environment variable. All of this happens independently of SGD.
With the search stage, SGD looks the the value of REMOTE_USER and performs a search for the user identity and user profile.
How SGD does this is configurable, see http://docs.sun.com/source/821-1926/z400007d1322324.html#z400007d1323983
The basic choice is to use LDAP or not.
If you don't use LDAP, then the user profile is either a user profile object you have created specifically for the user or the default Third-Party Profile (in System Objects).
If you do use LDAP, the user profile is either a user profile object you have created specifically for the user, an LDAP Profile object you create to apply settings to a group of users, or the default LDAP Profile (in System Objects).
Note: you can enable both methods at the same time.
If possible, use LDAP for the search stage. It reduces the number of user profile objects you need to create (you might not have to create any) and it means you can assign applications to users dynamically by searching the LDAP directory (less admin).
Hope this helps. -
Configure cisco wlc for rsa authentication
Hi,
I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
Do we require a cisco ACS device to make this work. Please advise.
ThanksYes it is possible. The below is the list of items which you require to configure RSA authentication on WLC
•1. RSA Authentication Manager 6.1
•2. RSA Authentication Agent 6.1 for Microsoft Windows
•3. Cisco Secure ACS 4.0(1) Build 27
Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
•4. Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
For more information you can go through this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml -
RSA Authentication Manager Connector 9.0.4
Hi to all. I need to connect Oracle Identity Manager 11g with an RSA Authentication Manager 6.0. So, searching through Oracle website, I noted that with the newest version of the RSA Authentication Manager Connector (9.1.0.7.0) it is only possible to connect with an RSA 7.1 with SP3 or higher. Now my questions are:
1. Where is it possibile to download the older version of this connector?
2. Even if I could download this older version (9.0.4), is it possibile to get it work with Oracle Identity Manager 11.1.1.5.2?
Thank you in advance.
Giuseppe.Older version connectors aren't available on oracle web sites. You need to raise SR through metalink (support.oracle.com) and ask them for older versions.
Refer certification matrix/compatibility section of connector document to know if it'll work with Oracle Identity Manager 11.1.1.5.2.
regards,
Gp -
Does ASA Support Android Hybird RSA Authentication ?
Dear all
Does ASA Support Android Hybird RSA Authentication ?
I should be such as to set the ASA firewall, let him support Android VPN Hybrid mode under my settings
tunnel-group IPsec_Hybird_Tunnel general-attributes
default-group-policy Android_Hybird
authorization-required
tunnel-group Android_Hybird_Tunnel ipsec-attributes
ikev1 pre-shared-key **********
chain
ikev1 trust-point CA
ikev1 user-authentication hybrid
tunnel-group Android_Hybird_Tunnel ppp-attributes
authentication ms-chap-v2
crypto ikev1 policy 10
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
when i debug find this message
%ASA-7-713906: IP = 1.1.1.1, All SA proposals found unacceptableI've managed to configure IPSEC hybrid(Mutual group Authentication) with the Cisco VPN client, which uses a pre-shared key and CA certificate as well as Xauth. When using "IPSec Hyrbid RSA" on an an Android device, my attempts to configure it on the ASA have failed.
Log message:
3
Jul 25 2013
20:39:54
713048
IP = 192.168.7.76, Error processing payload: Payload ID: 1 -
OIM 11g - RSA Authentication Connector
Hello,
I need some information about RSA Authentication Manager connector.
We use RSA for VPN access authentication and we would like to integrate it into OIM.
I need to understand the capabilities of this connector such as provisioning and deprovisioning tokens and how to automate the distribution of soft tokens.
Can anyone help me ? Any docs or relevant links would help as well.
Thanks,
Baladownload connetor doc from below location(RSA Authentication Manager )
http://docs.oracle.com/cd/E11223_01/index.htm
Else try to download the connector extract it and open the connector doc(RSA Authentication Manager 9.1.0.7.0 )
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html -
ACS 5.x with either AD or RSA Authentication depending on user
I am trying to implement RSA two-factor authentication for our company for access to secure resources.
Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
I cannot figure out how to configure this. With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against. Not as easy with 5.x
I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found. This broke VPN completely.
From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
Anyone know how to accomplish this?
I am running 5.4 with the latest patches.Hope you're well!
I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
2. Enable password is not working (using the same user password configured in MS AD.
3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
Switch Tacacs Configuration
aaa new-model
aaa authentication login default none
aaa authentication login ACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec ACS group tacacs+ local
aaa authorization commands 15 ACS group tacacs+ local
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa authorization console
aaa session-id common
tacacs-server host 10.X.Y.11
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key gacakey
line vty 0 4
session-timeout 5
access-class 5 in
exec-timeout 5 0
login authentication ACS
authorization commands 15 ACS
authorization exec ACS
accounting commands 15 ACS
accounting exec ACS
logging synchronous
This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
Regards, -
ACS 3.3, RSA Authentication Manager, Win2k3 AD
What is the best practice for implementing cisco ACS 3.3, RSA, Win2k3 AD.
We want to use these combo to authenticate our Remote access client. Our VPN/Firewall box is a ASA5540.
ThxHi
You basically have 2 posibilities:
Posibility 1:
Use the ACS as the Central AAA Server and integrate all other Authentication-Servers with the ACS.
The ACS Supports different Token Servers / AD / RADIUS Server directly.
This is very smooth, you use the ACS to control all Authentication Request from your Network devices , TACACS+ or RADIUS.
There is some limitations'thoug: ACS only supports One AD Domain and no Trusts ... this can be painful..
Poisibility2:
Use The ACS as a RADIUS proxy-Server.
There are no "direct intagration" with the other Radius Servers - such as the ACE or the different ISA-Servers, but still alll client can use the ACS as their "AAA Radius Server".
This requires separate configuration of all RADIUS servers, but it overcomes the limitation of the ACS Support of Microsoft TRUSTS.
It is possible to use a mixture of both Cenarios, and you could use things like the domain-suffix (everything behind @ in [email protected]) to deside wich RADIUS server should do the Authentication.
Hope This Helps
Greetings
Jarle -
Hi,
Is it possible for cisco ASA to support rsa second factor authentication for server access.
i.e the servers will be accessed from certain network segments, after the first level
username-password prompt , and upon user input of these credentials, the ASA should
prompt again for a second authentication.
Will the ASA prompt for this second authentication?
ThanksYes the ASA supports two factor (or more accurately in this case, dual method) authentication. Assuming this is for a remote access VPN, when editing your AnyConnect Connection profile, there is an option under the advanced menu to enable a secondary authentication method.
I believe RSA might insist on being the first method according to one other post I have seen but it can definitely be one of the two methods.
See screenshot below (click to enlarge): -
RSA Authentication Manager connector exception with OIM 9.1.0.2
Hi,
I have installed RSA AM connector 9.1.0.7 on OIM 9.1.0.2 BP18 on Windows Server 2008 R2.
When I run the RSA recon schedule task, I get the following exception:
DEBUG,24 Feb 2012 12:11:13,227,[XELLERATE.ADAPTERS],Class/Method: tcADPClassLoader:findClass - Data: loading class - Value: org.iscreen.impl.xml.PositionContext
*ERROR,24 Feb 2012 12:11:13,229,[OIMCP.RSAM],====================================================*
*ERROR,24 Feb 2012 12:11:13,229,[OIMCP.RSAM],oracle.iam.connectors.rsaauthmgr.usermgmt.tasks.RSALookupRecon : getGroups : An error occurred parsing the XML located at com/rsa/admin/SearchGroupsCommand_validators.xml. The location within the file is at /. The following was found that was in error: Unable to load/locate configuration file.*
*ERROR,24 Feb 2012 12:11:13,229,[OIMCP.RSAM],====================================================*
*ERROR,24 Feb 2012 12:11:13,230,[OIMCP.RSAM],================= Start Stack Trace =======================*
*ERROR,24 Feb 2012 12:11:13,230,[OIMCP.RSAM],oracle.iam.connectors.rsaauthmgr.usermgmt.tasks.RSALookupRecon : getGroups*
*ERROR,24 Feb 2012 12:11:13,230,[OIMCP.RSAM],An error occurred parsing the XML located at com/rsa/admin/SearchGroupsCommand_validators.xml. The location within the file is at /. The following was found that was in error: Unable to load/locate configuration file.*
*ERROR,24 Feb 2012 12:11:13,230,[OIMCP.RSAM],Description : An error occurred parsing the XML located at com/rsa/admin/SearchGroupsCommand_validators.xml. The location within the file is at /. The following was found that was in error: Unable to load/locate configuration file.*
*ERROR,24 Feb 2012 12:11:13,230,[OIMCP.RSAM],org.iscreen.impl.xml.XmlConfigurationException: An error occurred parsing the XML located at com/rsa/admin/SearchGroupsCommand_validators.xml. The location within the file is at /. The following was found that was in error: Unable to load/locate configuration file.*
at org.iscreen.impl.xml.XmlParser.getInput(XmlParser.java:215)
at org.iscreen.impl.xml.XmlParser.parse(XmlParser.java:116)
at org.iscreen.impl.xml.XmlServiceFactory.registerInclude(XmlServiceFactory.java:117)
at org.iscreen.impl.xml.XmlServiceFactory.loadConfig(XmlServiceFactory.java:285)
at org.iscreen.ValidationFactory.buildFactory(ValidationFactory.java:120)
Any idea what may be the issue???
Thanks.As per given bug it is looking for jars which is missing
have you install connector using deployment manager?? if yes it copy required jars at target location. verify if not there copy jars in Scheduled Task folder.
Check the document if any external jars required and same put at ThirdParty folder -
Mac Lion can't connect to Cisco VPN with RSA authentication
Hello,
We have a problem with a manager who has upgrades his Mac to the latest Lion OS (64 bit), before uograding he could connect without any problem with his mac to our network and work on the terminal server. Since the upgrade he's not able to get it working in 64 bit (normal) mode.
This our setup
Cisco PIX 515
RSA Cisco Pix security Apliance.
Does anybody have any advice to get this setup working.
regardsHi Raymond,
We have encounter the same issue with one of our sales director, the upgrade to MAC OS-X Lion breaks the VPN IPsec connexion. We have tryed various type of tunning with no sucess.
Finally, as wordaround, we have installed the AnyConnect client and it works fine now.
Vincent
Maybe you are looking for
-
How to Grey out the field "tracking number" during change mode in the order
HI Expert, How to grey out the Tracking number (AFVGD-BEDNR) at Order -> Operation tab -> external tab ->tracking number. during creation IW31 = not grey out and allow entry. for change mode IW32 = grey out if i set grey out at config OIOPD, it will
-
Hi I need help ..I do not know how to edit a pdf file that I scanned in,
Hi I need help ..I do not know how to edit a pdf file that I scanned in, will someone please tell me what I should do PLEASE HELP
-
Hi everyone! I am a newbie to ADF and i have a trouble about using a global variables in ADF. I have a managed bean which initializes manually one time and i want to access its instance from any place of the package. Is it possible? What's the best p
-
Making a gradient fade out of an image in Illustrator?
You know when you wish to have a picture, slowly fading out/in - merging with the background, in Photoshop, you add a layer mask, and with the gradient tool, and it does the job. How can we do a similar effect in Illustrator? 1- File/Place the image
-
How to install HP wireless printer
Please can you tell me how to install an HP wireless printer to my Ipad2 - I have managed to install the printer to my IMac. Thank you.