RSA SecurID

Similar Messages

• External Identity Sources, binding RSA securID to ISE

  Hi all,
  Say, my topology was using ISE doing VPN inline posture, and bind RSA securID (version 7.1) as external Identity Sources.
  During  the deployment, in order to let my iPEP node join the Policy Service  Node, for the certificate i using the third party CA server (Window  server 2008 R2) as the root CA, both of these 2 ISE were mutual  authenticated and done.
  My question. as i using  RSA secureID as external identity sources, native behaviour, Will the  ISE trust RSA with no identity certificate signed by the identitical  root CA?
  Should i enroll this RSA appliance issue the CSR to CA server to sign and in the PKI environment? Is there a need for this?
  Thanks
  Noel

  Noel,
  From my experience when integrating with the RSA token server you need the sdconf.rec file exported from the RSA and you import that into the ISE configuration. You then select this identity store with your authentication policies for vpn users. There isnt a need for any certificates when integrating with a token server (that was the last time I checked) and even if there would just need to trust each other's certficats.
  I hope that helps!
  Sent from Cisco Technical Support iPad App

• RSA SecurID no longer available on Nokia N8 Belle

  Just upgraded my Nokia N8 and was shocked to see that RSA SecurID is no longer available
  I wonder how can such an important business app can be missed ! Lucky for me I have an Andriod Tab, but other N8 users beware.
  Solved!
  Go to Solution.

  Ok, I was able to download the software using the Nokia web browser from http://www.rsa.com/nokia101 however our IT team was unable to set-it up. We then downloaded the Java client from  www.rsa.com/jme and it worked fine.

• Web server will not start due to RSA Securid errors

  We have an iPlanet 4.1 Service Pack 14 web server that was running fine until last friday. When we go to start the server we get the following error:
  Status:
  [https-ivpnas]: start failed. (2: unknown early startup error)
  [https-ivpnas]: conf_init: Error running init function securidinit: unknown error
  [https-ivpnas]: server exit: status 1
  Error
  An error occurred during startup.
  The server https-ivpnas was not started.
  The error log also contains this additional error:
  [27/Sep/2004:10:06:57] info ( 4164): successful server startup
  [27/Sep/2004:10:06:57] info ( 4164): iPlanet-WebServer-Enterprise/4.1SP14 BB1-01/15/2004 13:04
  [27/Sep/2004:10:06:58] catastrophe ( 4164): securidauth reports: InitAceClient returned FALSE
  This website uses RSA Securid for authentication. We have contacted RSA and they think it is a webserver problem. Any insight anyone can provide would be great. Thanks!

  The error message is generated by the RSA plugin, not Web Server. RSA should be able to help diagnose the problem further.

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ISE Authentication Policy for RSA Securid and LDAP for VPN

  We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
  Here is my question:
  Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 
  Thanks,
  Joe

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ISE Not Authenticating Against RSA SecurID

  In the process of integrating ISE 1.2 into our environment with the eventual intent to replace ACS 5.x and having a challenge adding an RSA SecurID server as an external identity source.
  In ACS, we would create an internal user but configure the password to be handled externally and uses PAP or whatever to communicate with RSA.
  I don't see this option in ISE, only to use the RSA SecurID as a direct Identity Source, the problem is that if I try to authenticate to ISE using a device such as an iPhone, which is using MS-CHAPv2 by default, it produces an error in the authentication logs that the device is using a protocol not supported by the identity source.
  So what is the proper way to configure ISE to allow users to authenticate with a one-time-password against RSA SecurID?

  check the following link for Integrating Cisco ISE with RSA SecurID Server
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1080334

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• RSA SecurID authentication and privilege level

  Hello,
  I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
  Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

  Hello.
  Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
  I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

• Does Remote Desktop Services Gateway Support RSA SecurID without TMG or ISA?

  We would like to roll out a single server RDS Gateway in our DMZ that can allow users to work from home and access their primary Windows 7 physical box workstation in the office.
  Instead of purchasing laptops for everyone who only occasionally needs to work from remotely, we would like some of the users to be able to use their home PCs and not need to install any VPN or other software on their computers.
  We already have RSA SecurIDs used for VPN clients, and I wanted to know if there is a way to use these existing tokens for second factor authentication instead of having to purchase an additional product such as Duo Security or AuthAnvil.
  If will be much easier to use something we know and probably much more economical to use the SecurID tokens that are already paid for plus add a few more if needed.
  We do not have TMG or ISA and when I do a web search for RSA tokens with RDS Gateway, most of the results are talking about using TMG to make it work.

  Hi,
  Thank you for posting in Windows Server Forum.
  Sorry to say but as per my research generally RSA SecurID use TMG or ISA without that it will not function correctly. You can follow article for useful information.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Since I upgraded to Lion, my RSA securid token and Cisco VPN client doesn't work any longer. Anyone have suggestions on how to fix that?

  Since upgrading to Lion, I can no longer use VPN because my RSA securid token and CIsco VPN Client won't load. Any suggestioins out there?

  .

• RSA SecurID for pix/ios console authentication?

  Hi
  Does anyone know how I can setup my routers and pix firewalls to use RSA SecurID for authentication of console login requests (telnet, ssh, serial)? I'm currently using RADIUS (both IAS and CSACS 4.0, some devices are on IAS, others CSACS) for authentication, but I'd like to utilize our SecurID system. Can anyone point me in the right direction? Thanks
  Jason

  Following link can help you configure RSA with ACS:
  http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ACS_401_AuthMan61.pdf
  Following link can help you configure IAS with RSA:
  http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Microsoft_IAS2003_AuthMan61.pdf
  ~Rohit

• HT4993 I'm trying to install the "RSA SecurID" application on my new iPhone 5s, but I need the device id. Can you tell me where to find the device Id?

  I'm trying to install the "RSA SecurID" app on my new iPhone 5s, but I need the device id. Can you tell me where to find the device id?

  -> http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/ipho ne-and-ipad.htm

• Authentication with RSA SecurID

  Hi,
  Can we use RSA SecurID for OBIEE Authentication? if yes, Can recomend a blog or document?
  Thanks,
  Gustavo.

  Yes, you can. But you will have to develop a Custom Authenticator.
  http://obiee101.blogspot.com/2009/03/obiee-custom-authenticators.html