RSA tokens and AAA
I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....
Very simple:
1- install RSA Server on host A,
2- install ACS server on host B,
3- create an agent host on host A with host B
ip address,
4- copy the sdconf.rec file over to %Windows\system32 directory of host B,
5- install RSA agent software on host B,
6- create RSA user in host A,
7- use the RSA test utility on host B to test
authentication from host B over to host A,
8, configure ACS to use RSA SecurID. Read
the instruction on cisco web site, in the
External database,
9- run log monitor on host A RSA server,
10- try to log into a router,
11- enter the username create in step 6,
you should see that you will be able to
authenticate with RSA securID and ACS
integration.
Last but not least, if you use TACACS, you
will NOT be able to use Next-PIN mode on
RSA Server. Next-PIN mode only works with
Radius.
Easy right?
Similar Messages
-
ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP
Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
I have come up with bunch of incompatibilities between the offered support e.g.
1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.Hi,
We have tried to do the exact same setup as you and we also failed.
When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
A list with EAP protocols supported by the RSA is in attach.
Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
table "EAP Authentication Protocol and User Database Compatibility "
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy. -
We have wireless network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
Axxxx, the other Bxxxx.
Now we try to differ the authentications for the two group. One permit, the other deny.
I am wondering whether the ISE can do this or not.
thanks,
HanISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.
-
ACS 4.0 and RSA Token Server problem
Hi,
We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
Any help or advice appreciated.
ThanksHi,
The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
Following link talks about the same.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
Regards,
~JG -
Since upgrading to Lion, I can no longer use VPN because my RSA securid token and CIsco VPN Client won't load. Any suggestioins out there?
.
-
Hello,
Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
Best Regards,You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
I have it working with limited functionality -
Is there any way to secure the logining process of a router using RSA token?
And how to do that.
Thank you!
Regards.You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
So the configuration of the router is pretty straightforward:
aaa authentication login default group tacacs+ line
aaa authentication enable default group tacacs+ enable
The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
HTH
Rick -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
ISE Authentication Policy for RSA Securid and LDAP for VPN
We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
JoeThat is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
ACS5.2 with Radius to RSA token server
I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?
It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.
-
Hi
Does the firewall support ssl vpn with RSA token concept with below mentioned license
Current remote acesss vpn is configured .If yes what are the changed reguired?
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabledaccording to me, you will need a AAA server to communicate with the RSA key server. like below:
Cisco ASA ---> ACS ---> RSA Server
the license is fine.
this is the guide for setup http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf -
I have a Pix 525 running 7.02 OS using the 5.0 VPN client. I'm trying to configure this to use RSA tokens to authenticate. I added the following lines to my Pix config:
aaa-server <group name> protocol sdi
reactivation-mode timed
aaa-server <group name> host 172.16.180.X
retry-interval 3
timeout 13
aaa-server <group name> protocol sdi
reactivation-mode timed
aaa-server <group name> host 172.16.180.105
retry-interval 3
timeout 13
Where do I put in the shared secret that the RSA server uses? I know we put one in there, it's actually a version of RADIUS but I don't know where to put it for the Pix.
ThanksIf you're doing it via SDI the two devices will negotiate the shared secret. Only if you're doing Radius do you need to create one manually, based on RSA documents.
-
hello, I need help with the following. I have broken contents of file into tokens, and now I want to load those tokens into arrays and display the contents of the arrays. How do i do this?
The name of the file is testing.txt with the following three lines;
Hey your world!
beware of mortgage fraud.
Research before you buy!
my code is as follows;
import java.io.*;
import java.util.StringTokenizer;
import java.util.*;
public class Test{
public static void main(String[] args){
try{
//collect a file path / name from the user
System.out.println( " Enter the filepath for loading" );
Scanner myScanner = new Scanner(System.in);
String fileName = myScanner.next();
//load the contents of that file into a bufferedreader
FileReader myFR = new FileReader(fileName);
BufferedReader myBR = new BufferedReader(myFR);
String line = " ";
StringTokenizer words;
String word = " ";
System.out.println("Here are the lines in the file ");
System.out.println(" ");
//loop through the lines of the document (which method reads lines?)
//main loop repeats until there are no more line
while((line = myBR.readLine())!=null)
{System.out.println(" The line is ");
System.out.println(line);
//line = myBR.readLine();
System.out.println("");
System.out.println( " Broken like a token ");
System.out.println( "");
////break each line into tokens,
words = new StringTokenizer(line);
////loop through the tokens, process each word in the line
while(words.hasMoreTokens()){
word = words.nextToken();
System.out.println(word);
//end while
//load each token into an array
String wordAry [] = new String[11];
//loop through the array and present each token to the user
for(int index=0; index<13; index++){
System.out.println(wordAry[index]);
System.out.println("");
System.out.println(" The Contents of array Results " );
}catch(FileNotFoundException e){
System.out.println("File could not be found or opened");
}catch(IOException e){
System.out.println("Error reading file");
}// end catch
}//end main
}//end classWell you've definitely created an array...but you never put anything in it. You have to actually put something IN the array in order to get it out later. Also, your array is size 11, meaning the indexes go from 0 to 10. But your print loop goes from 0 to 12, so you'll get an out of bounds exception.
If you don't understand array basics, read the tutorial: [http://java.sun.com/docs/books/tutorial/java/nutsandbolts/arrays.html] -
Hello,
I am just wondering if JSF offers a synchronizer token feature in order to avoid multiple form submissions.
Thanks in advance,
Albert Steed.Here's how I've implemented a token synchronizer pattern in my web app.
This example has a session-scope Visit object and request-scope RequestBean:
<managed-bean>
<description>Session bean that holds data and delegates needed by request beans.</description>
<managed-bean-name>visit</managed-bean-name>
<managed-bean-class>com.example.Visit</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
<managed-bean>
<description>Some request bean.</description>
<managed-bean-name>reqBean</managed-bean-name>
<managed-bean-class>com.example.RequestBean</managed-bean-class>
<managed-bean-scope>request</managed-bean-scope>
<managed-property>
<property-name>visit</property-name>
<value>#{sessionScope.visit}</value>
</managed-property>
</managed-bean>My Visit class has the following:
private long activeToken;
private long receivedToken;
* This returns the active save token. Note that this is not the same
* variable that is set by the setSaveToken() method. This is so we can put a
* tag in a JSP:<br/>
* <h:inputHidden value="#{visit.saveToken}" /> <br/>
* That will retrieve the active token from Visit when the page
* is rendered, and when the page is returned, setSaveToken() sets the
* received token. The tokens can then be compared to see if a save
* should be performed. See BaseBean.generateToken() for more details.
* @return Returns the active save token.
public long getSaveToken() {
return this.activeToken;
* Sets the received token. Note that this method is only intended to be
* called by a JSF EL expression such as: <br/>
* <h:inputHidden value="#{visit.saveToken}" /> <br/>
* See getSaveToken() for more details on why.
* @param received token value to set
public void setSaveToken(long aToken) {
this.receivedToken = aToken;
void setReceivedToken(long aToken) {
this.receivedToken = aToken;
long getReceivedToken() {
return this.receivedToken;
void setActiveToken(long aToken) {
this.activeToken = aToken;
long getActiveToken() {
return this.activeToken;
* @return true if the active and received token are both non-zero and they match
boolean tokensMatchAndAreNonZero() {
return (this.activeToken != 0) && (this.receivedToken != 0) && (this.activeToken == this.receivedToken);
. . .My backing beans extend a base class BaseBean with these methods:
* Generates a new save token, saving it to a field in Visit. Guaranteed to not
* generate a 0 (0 is used to denote an expired token).<br/><br/>
* This token is used to make sure that
* actions that modify data in a way that should not be immediately repeated.
* Call this method prior to rendering a page that will submit the non-repeatable
* request. Then before saving any data, call saveTokenIsInvalid() to see if the
* save should be executed. If the token is valid, expire it and proceed with
* saving.<br/>
* The view that submits an unrepeatable request should have the tag:<br/>
* <h:inputHidden value="#{visit.saveToken}" /><br/>
* in it. Visit.getSaveToken() will set this field with the active token when the
* page is rendered. Visit.setSaveToken() will set a received token field, which
* can then be compared to the active token to find out whether a save should be
* performed.
protected void generateSaveToken() {
logger.debug("generateSaveToken()");
Random random = new Random();
long token = random.nextLong();
while (token == 0) {
token = random.nextLong();
this.getVisit().setActiveToken(token);
this.getVisit().setReceivedToken(0);
* Checks the save token to see if it is valid.
* @true if the save token is invalid. It is invalid if either the received or the active
* tokens in Visit are zero, or if the tokens do not match.
protected boolean saveTokenIsInvalid() {
if (logger.isDebugEnabled() ) {
logger.debug("saveTokenIsInvalid():\nactive token: " + this.getVisit().getActiveToken() + "\nrecv'd token: " + this.getVisit().getReceivedToken() );
boolean isValid = this.getVisit().tokensMatchAndAreNonZero();
// return the inverse because this method is called "saveTokenIsInvalid"
return !isValid;
* Sets active token to zero, preventing any saves by methods that check for valid save token
* before committing a change until generateSaveToken() is called again.
protected void expireSaveToken() {
logger.debug("expireSaveToken()");
this.getVisit().setActiveToken(0);
* Logs an info message saying that a save action was not performed because of invalid save
* token. Returns given String as outcome.
* @param logger for subclass calling this method
* @param outcome
* @return outcome
protected String logInvalidSaveAndReturn(Logger subclassLogger, String outcome) {
if (subclassLogger.isInfoEnabled() ) {
subclassLogger.info("User " + this.getVisit().getUsername() + " submitted a save request that was not " +
"processed because the save token was not valid. Returning outcome: '" + outcome + "'.");
return outcome;
// Used by JSF managed bean creation facility
public Visit getVisit() {
return this.visit;
// Used by JSF managed bean creation facility
public void setVisit(Visit visit) {
this.visit = visit;
. . .Any method that sets up a view containing a form I only want submitted once generates a token:
this.generateSaveToken();And the token gets embedded in the HTML form with the tag:
<h:inputHidden value="#{visit.saveToken}" />An action method in RequestBean would then use the token to prevent multiple identical saves as follows:
public String someActionMethod() {
// prevent identical requests from being processed
String normalOutcome = Constants.NavOutcome.OK;
if (this.saveTokenIsInvalid() ) {
return this.logInvalidSaveAndReturn(logger, normalOutcome);
this.expireSaveToken();
logger.debug("save token is valid. attempting to save....");
try {
// invoke some business logic here
} catch (MyException exc) {
// important: if you are returning the user to the same form view with an error message,
// and want to be able to process subsequent form submissions, then the token
// needs to be regenerated
this.generateSaveToken();
return null;
. . .It has worked great so far. The only problems I've had are when I forget to generate or expire a token, or I forget to embed it in my form.
I also had a problem where I expired the token after my business logic completed, and my business logic took about 30-60 seconds to process--if the user clicks on the submit button several times while waiting for the page to return, the backing bean method still sees a valid token and processes the request. This was solved by simply expiring the token prior to invoking the business logic (as shown in the above example).
HTH,
Scott -
RSA keys and BigInteger Article
[BigInteger and RSA Signature/Encryption|http://www.jensign.com/JavaScience/dotnet/RSAdotnet4/]
Here is a new article describing RSA key components and demonstrating how BigInteger class (in either Java or .NET 4) can be used to manually study RSA signature and encryption calculations.Thanks for comments. The up to 6 public keys wasn't my own idea, it originates from the EMV2000 specs. If I want one point-of-payment unit serving both MC, Visa, Maestro and Cirrus cards, then I have 4 RIDs already. So bad luck for Amex and Diners, unless I add more SAMs.
But those keys are not the ones where I realy struggle, because they (CA public keys) would be reasonably stable year after year. My problem is the unexpected out-of-resource error I now get from KeyBuilder, when dealing with keys that actually come in the form of a certificate from an EMV payment card: the Issuer and ICC public keys. They can be any length, from 512 up to 2048. And a terminal may see hundreds of different cards each day.
Unless anyone comes up with a better suggestion, I think I'll just build ~9 keys upfront, just once after installing the Applet, with all 'common' modulus key lengths, so 512,736,768,896,1024,1280,1536,1984,2048 and let the decrypt step pick any of these 9 depending on what ICC and Issuer lengths I'll be confronted with.
But any better ideas much appreciated!
Maybe you are looking for
-
I followed the instructions, but when I got to move a second folder to the new shared folder, it told me it already existed and did I want to repalce it? Not prepared to do this, and lose my wife's itunes songs. I am still in trouble from losing her
-
Hi, I'm getting ready to buy a Mini(2Ghz, 320G, Upgrade to 4G RAM). I have a few things I could use some advice on. I plan to edit some video, SD not HD, home movies and self produced documentaries, nothing too complex. I would like to capture video
-
Is a certain MAC recognizable by unwanted cookies, regardless of IP?
Hi folks, I have been searching the web but I can´t seem to find a definitive answer to this quick question: If I visit a certain website (say a forum, like this) they most certainly log the I.P etc. But I hear all kind of horror stories that certain
-
Hello, I am trying to create 2 reports from one script file where the member name needed for one report is the child of the member name of the 2nd report. (See example below) Dim 1 A B Dim 2 X Y Dim 3 CR Tar How do I limit my query to retrieve a CR r
-
hai, when we create a plant as copy as option thyen it stores in the entries suppose whenever we create the plant by using new entries option it has not stored in the table entries what is main differance between these two options? regards ramu.