RSA token with Pix

Similar Messages

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• Router login with RSA token

  Is there any way to secure the logining process of a router using RSA token?
  And how to do that.
  Thank you!
  Regards.

  You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
  So the configuration of the router is pretty straightforward:
  aaa authentication login default group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
  HTH
  Rick

• SSLVPN with RSA TOKEN

  Hi
  Does the firewall support ssl vpn with RSA token concept with below mentioned license
  Current remote acesss vpn is configured .If yes what are the changed reguired?
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled

  according to me, you will need a AAA server to communicate with the RSA key server. like below:
  Cisco ASA ---> ACS ---> RSA Server
  the license is fine.
  this is the guide for setup   http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• Rsa securid with remote access dial-in service problem

  Hello,
  I tried to setting rsa secured with remote access dial-in service on cisco 2600 box. Everything works well except when token in new pin or next token mode. The dial-up client can not enter second passcode, do not have second pop-up window, so all authentications was fail. My dial-up client is windows 2000 or xp.
  Please suggest me too.
  Thanks,
  Nitass

  While I agree with you that the terminal window solution is more complex and less user friendly than the standard Windows DialUp window/authentication, the terminal window does provide a solution to the new pin or next token issue which the standard Windows does not.
  I work with a customer who uses RSA token to authenticate dial in users. We have found the solution to the issue you are dealing with to be either the terminal window where the user can deal with their problem or to have someone take administrative action on the RSA server to reset/resync the users token.
  So as I see it you have a choice to make: either present terminal window as an alternative setup on the user PC or when they can not login on dial up have them call the Help Desk and have someone deal with it for them. One solution is somewhat less user friendly but does allow the user to deal with their own problem, and the other solution is more user firendly and puts more load on the Network Support staff.
  I would also wonder why you have so many users in new pin and next token mode? Perhaps if you can figure how to minimize the frequency of these modes you can minimize the problem of difficulty authenticating for your users.
  HTH
  Rick

• ISE and RSA token groups

  We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
  Axxxx, the other Bxxxx.
  Now we try to differ the authentications for the two group. One permit, the other deny.
  I am wondering whether the ISE can do this or not.
  thanks,
  Han

  ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• LEAP, ACS and RSA token Card

  Hello,
  Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
  Best Regards,

  You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
  I have it working with limited functionality

• DMZ zone with PIX 501

  - How do I setup a DMZ zone with PIX 501 firewall? Do I need to use an additional router? I have CISCO 1605 at my disposal.
  - If I can't do that, what would be an alterantive way to set an FTP server similarly to the DMZ way.
  (We're using IPsec/GRE VPN between our 3 sites. we're on W2K network).
  thanks,
  oleg

  When talking about setting up a DMZ, a PIX model with atleast three interfces is required. On a PIX 501, only two interfaces are available, an outside interface (ethernet) and an inside interface (availabe as a 4 port switch). For stting up a DMZ, you will need an additional interface and that would mean getting a higher model of the PIX. The idea of using a router on the inside interface and then configuring restrictive policies on it might work but will make the setup messy and you are unlikely to find a satisfactory level of support for it for the simple reason that not many neworks are deployed that way.

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Blocking protocols with pix version 7.2.1

  somebody knows like blocking protocols like skype with pix version 7.2.1.
  i know msn messenger or yahoo messenger can be blocked.
  but I need to blocked things like skype.
  thanks.

  Try this link
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/inspect.htm#wp1480861

• Manual key negotiation with pix 501

  how to use manual key negotiation with pix 501 6.3 to solve VPN tunnel negotiation problem

  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html#wp1045493
  "Manual configuration of SAs is not supported on the PIX 501 because of the restriction in the number of ISAKMP peers allowed on that platform."
  However I'm sure a proper solution can be found to your original problem (establishing VPN with huawei)
  Please rate helpful posts.
  Regards
  Farrukh

• Is Part# SSM-4GE compatible with PIX ?

  suggested replacement for PIX-1FE is SSM-4GE. does it mean it is compatible with PIX ?
  http://cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_for_cisco_pix_sec_app_cards_and_hwacc.html

  No it is not. Since the PIX is now EoS, they assume you have/will upgrad to the ASA.
  HTH

• MfE - 2stage logon with RSA token, possible?

  I'm finally able to use Exchange 2003 SP2 on OWA on my PC via IEv7.
  However, in order to use OWA at home I have 2 issues that I cannot figure out what to do with MfE.
  1. 2 stage logon.
  - First logon is the site logon id & pw. I work for a bank and as such security is its focus; gladly not a hinderance. I have a 2 stage logon because the AD ID I have is set for supporting 1 area of the bank while my access allows certain admin rights.
  - Thus my first logon is not the same as my AD. This enables a certificate to be installed into IE v7. This worked on MfE initially.
  - The second stage logon requires my AD account logon ID, and the pw uses my PIN+Tokencode (RSA hardtoken generated). 
  2. Although RSA supports S60 there is nothing on the web or on their site show a trial or full working application for download OR purchase. It supports S60 3rd Edition
  Now can MfE or any other software help me out in this situation.

  So I found RSA's link to purchasing the software ...
  http://www.rsa.com/node.aspx?id=3388
  BUT it asks you to basically register.
  Technical Specifications
  Currently shipping version: RSA SecurID® Token 2.20 for Symbian OSTM and UIQ
  Device requirements: Symbian OSTM 9.1 or higher UIQ 3.0 or higher
  Required components: RSA® Authentication Manager (5.1 or later required for AES token support; 6.1 recommended)
  AES (128-bit) token seeds
  Ordering options: AES (128-bit) token seeds available in 6-month and 1-, 2-, 3-, 4-, 5-, and 10-year lifetime configurations.
  Pricing and availability: RSA® SecurID Token 2.20 for Symbian OSTM and UIQ is available free of charge through RSA.
  Download RSA SecurID Token 2.20 for Symbian OSTM and UIQ, including documentation
  Token seeds are available through RSA sales channels.