SSLVPN with RSA TOKEN

Similar Messages

• Router login with RSA token

  Is there any way to secure the logining process of a router using RSA token?
  And how to do that.
  Thank you!
  Regards.

  You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
  So the configuration of the router is pretty straightforward:
  aaa authentication login default group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
  HTH
  Rick

• MfE - 2stage logon with RSA token, possible?

  I'm finally able to use Exchange 2003 SP2 on OWA on my PC via IEv7.
  However, in order to use OWA at home I have 2 issues that I cannot figure out what to do with MfE.
  1. 2 stage logon.
  - First logon is the site logon id & pw. I work for a bank and as such security is its focus; gladly not a hinderance. I have a 2 stage logon because the AD ID I have is set for supporting 1 area of the bank while my access allows certain admin rights.
  - Thus my first logon is not the same as my AD. This enables a certificate to be installed into IE v7. This worked on MfE initially.
  - The second stage logon requires my AD account logon ID, and the pw uses my PIN+Tokencode (RSA hardtoken generated). 
  2. Although RSA supports S60 there is nothing on the web or on their site show a trial or full working application for download OR purchase. It supports S60 3rd Edition
  Now can MfE or any other software help me out in this situation.

  So I found RSA's link to purchasing the software ...
  http://www.rsa.com/node.aspx?id=3388
  BUT it asks you to basically register.
  Technical Specifications
  Currently shipping version: RSA SecurID® Token 2.20 for Symbian OSTM and UIQ
  Device requirements: Symbian OSTM 9.1 or higher UIQ 3.0 or higher
  Required components: RSA® Authentication Manager (5.1 or later required for AES token support; 6.1 recommended)
  AES (128-bit) token seeds
  Ordering options: AES (128-bit) token seeds available in 6-month and 1-, 2-, 3-, 4-, 5-, and 10-year lifetime configurations.
  Pricing and availability: RSA® SecurID Token 2.20 for Symbian OSTM and UIQ is available free of charge through RSA.
  Download RSA SecurID Token 2.20 for Symbian OSTM and UIQ, including documentation
  Token seeds are available through RSA sales channels.

• SGD with RSA Token Authentication - Is it all or nothing?

  We are investigating having RSA authentication in SGD, but we only want to force its usage for a subset of users. Based on what I can see in the docs and the screen its not clear if its all or nothing.

  We have the same question from a customer.
  Here is my suggestion:
  Have two sgd servers. Both are in one array. Because LDAP and RSA are global configurations, both sgd server cann handle loggins via these authorities.
  To prevent login via RSA in sgd1, disable the route to the RSA server.
  To prevent login via ldap in sgd2, disable the route to the LDAP server.
  The sgd2 should be the primary and the login of the admin Console, so DSI will work.
  Another thought with a dead end is: RSA via 3Party and http.conf preventing access from a network. This can work, but not with firewall traversal, because the apache sees only the localhost.
  Would be happy to have more suggestion about this.

• LEAP, ACS and RSA token Card

  Hello,
  Is it possible to use LEAP with Rsa Token Card to authenticate WLAN users in addition with ACS ?
  Best Regards,

  You can use RSA SecurID with PEAP only. You will need ACS 3.2 at least with ACU 6.3/ ADU 1.0.
  I have it working with limited functionality

• ACS5.2 with Radius to RSA token server

  I have a test lab with the eval version of ACS5.2. I am running 802.1x on my switch to the ACS usinf radius and want to use my RSA token server to authenticate my users. I have setup my RSA server under "Radius Identiny Servers" in the external identity stores section of the ACS5.2. I have only selected this RSA server in access policies -> identity. When I plug in my 802.1x enabled laptop into the switch I can see the packets going to my ACS but I cannot see any communication from my ACS to the RSA server. And the error I get in the ACS is 22056 Subject not found in the applicable identity store(s). . It works fine with AD. Any reason why the ACS is not talking to the RSA token server?

  It looks like the RSA token server is not one of the identity stores used by the authentication policies you set up, I would start troubleshooting by looking at them and see what identity store or identity store sequence they are using.

• How can I do for ESA work with token RSA, I mean when I entry the login the authentication with RSA

  Hi there,
  How can I do for ESA work with token RSA, I mean when I entry the login, the authentication ask me the token with RSA, Is it possible???
  Regards,

  Hello Miguel,
  RSA tokens are currently not supported for login, neither to the GUI/CLI or access to the spam quarantine. There is currently a feature request"Support SecurID via RADIUS" for the WSA, if you want you can open a ticket and have either add your company to that request, or have it extended for ESA as well.
  Hope that helps,
  Andreas

• RSA token with Pix

  I have a Pix 525 running 7.02 OS using the 5.0 VPN client. I'm trying to configure this to use RSA tokens to authenticate. I added the following lines to my Pix config:
  aaa-server <group name> protocol sdi
  reactivation-mode timed
  aaa-server <group name> host 172.16.180.X
  retry-interval 3
  timeout 13
  aaa-server <group name> protocol sdi
  reactivation-mode timed
  aaa-server <group name> host 172.16.180.105
  retry-interval 3
  timeout 13
  Where do I put in the shared secret that the RSA server uses? I know we put one in there, it's actually a version of RADIUS but I don't know where to put it for the Pix.
  Thanks

  If you're doing it via SDI the two devices will negotiate the shared secret. Only if you're doing Radius do you need to create one manually, based on RSA documents.

• ACS 5.3 Integration With RSA

  Hi People,
  I have Integrated the ACS 5.3 with AD.
  Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.
  The enable privilege level should come from the RSA Token OTP.
  Is it possible to do such a thing with ACS 5.3???
  If so how could i do it???
  Thanks,
  Manoj

  I think that can try and make a rule in the identity policy based on the Service attribute in the TACACS+ dictionary
  (this is not tested and based on my recollection so would need your verification)
  1) Create a custom condition for the service attribute in TACACS+ dictionary
  Policy Elements > Session Conditions > Custom
  Create: Dictionary: TACACS+ ; Attribute:Service
  2) Utilize in a rule in Device Admin identity policy
  Access Policies > Access Services > Default Device Admin > Identity
  Sselect a rule based
  Customize based on condition in 1
  Create a rule for when Service is "Enable". Select identity source as RSA in this case

• Web Authentication with RSA SecureID on a Cisco Switch

  Hi,
  I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius
  I've already managed to link it in for ssh access
  but I've not managed to get it working for http / web access to the switch
  I think this is because we're using "single use" tokens for maximum security with RSA SecureID
  and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server
  (okay on the first authentication, but each time after it's going to want a different token code)
  I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)
  For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

  Hello Chris,
  Can you test the following configuration?
  aaa group server radius webtac_grp
  server
  cache expiry 1
  cache authorization profile httpauth
  cache authentication profile httpauth
  aaa authentication login httpauth cache webtac_grp group webtac_grp
  aaa authorization exec httpauth cache webtac_grp group webtac_grp
  aaa authorization network httpauth cache webtac_grp group webtac_grp
  aaa cache profile httpauth
  all
  ip http server
  ip http authentication aaa login-authentication httpauth
  ip http authentication aaa exec-authorization httpauth
  radius-server host key ******
  I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.
  NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.
  If this was helpful please rate.
  Regards.

• ISE and RSA token groups

  We have wireless  network using ISE and RSA to do the authenticaiton. There are two groups of RSA token users, one is with username
  Axxxx, the other Bxxxx.
  Now we try to differ the authentications for the two group. One permit, the other deny.
  I am wondering whether the ISE can do this or not.
  thanks,
  Han

  ISE 1.2 should work with RSA 8.1. Please do try it in a lab setup would probably qualify it as part of ISE 1.3.

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• RSA tokens and AAA

  I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....

  Very simple:
  1- install RSA Server on host A,
  2- install ACS server on host B,
  3- create an agent host on host A with host B
  ip address,
  4- copy the sdconf.rec file over to %Windows\system32 directory of host B,
  5- install RSA agent software on host B,
  6- create RSA user in host A,
  7- use the RSA test utility on host B to test
  authentication from host B over to host A,
  8, configure ACS to use RSA SecurID. Read
  the instruction on cisco web site, in the
  External database,
  9- run log monitor on host A RSA server,
  10- try to log into a router,
  11- enter the username create in step 6,
  you should see that you will be able to
  authenticate with RSA securID and ACS
  integration.
  Last but not least, if you use TACACS, you
  will NOT be able to use Next-PIN mode on
  RSA Server. Next-PIN mode only works with
  Radius.
  Easy right?

• PEAP with RSA question

  I am getting ready to install a wireless network with WLC4404, ACSSE and about 100 AP's. The current network is a Novel network and every user has an RSA token. We want to be able to have the users use their RSA token with connecting to the wireless.
  I have found all the documents from here on how to configure ACS including getting the certificate and adding in the RSA server. I also know how to add the information to the RSA server for the ACS.
  What I am not sure about is the setup of the windows XP SP2 machine for RSA security.
  From what I have read, it seems that I just need to select WPA2, AES, then select PEAP, and under PEAP options choose Smart Card. Is this all?
  When I looked at the RSA sites documents, their screen shots show the ability to choose a hardware or software token.
  Seth

  I have been doing some research into this.
  If I have this correct, I cannot use the RSA token directly with Window's without using a supplicant like Funk Odyssey or Cisco.
  Is this correct?
  Seth