cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
591
Views
0
Helpful
4
Replies

ACS 3.3, RSA Authentication Manager, Win2k3 AD

IRMAN SETIAWAN
Level 1
Level 1

What is the best practice for implementing cisco ACS 3.3, RSA, Win2k3 AD.

We want to use these combo to authenticate our Remote access client. Our VPN/Firewall box is a ASA5540.

Thx

4 Replies 4

ajitbhullar
Level 1
Level 1

Enable radius on RSA and integrate ACS 3.3 with RSA . For windows 2003 on the acs do the group mapping .

Thx

jsteffensen
Level 1
Level 1

Hi

You basically have 2 posibilities:

Posibility 1:

Use the ACS as the Central AAA Server and integrate all other Authentication-Servers with the ACS.

The ACS Supports different Token Servers / AD / RADIUS Server directly.

This is very smooth, you use the ACS to control all Authentication Request from your Network devices , TACACS+ or RADIUS.

There is some limitations'thoug: ACS only supports One AD Domain and no Trusts ... this can be painful..

Poisibility2:

Use The ACS as a RADIUS proxy-Server.

There are no "direct intagration" with the other Radius Servers - such as the ACE or the different ISA-Servers, but still alll client can use the ACS as their "AAA Radius Server".

This requires separate configuration of all RADIUS servers, but it overcomes the limitation of the ACS Support of Microsoft TRUSTS.

It is possible to use a mixture of both Cenarios, and you could use things like the domain-suffix (everything behind @ in user@domain.com) to deside wich RADIUS server should do the Authentication.

Hope This Helps

Greetings

Jarle

darpotter
Level 5
Level 5

They key to this one is knowing when to authenticate with RSA and when AD.

The ACS "unknown user policy" would allow ACS to discover which database users are in on its own. But because its just an ordered list you can end up with 50% of your users going to the wrong db first. If they are trying to do MSCHAP to AD and RSA issues a "enter pin" challenge it all goes wrong.

Does the same user ever need both AD and RSA? If not you can manually enter users into the ACS DB and set their password types to Windows or RSA.

Is all the traffic coming from a single device? If so how does the device know which auth protocol to use?

More questions that answers Im afraid!

You might want to look at ACS v4.0 since it tries to handle multiple services/protocols from a single device (in order to support NAC)

Darran

darpotter
Level 5
Level 5

ignore this.. IE locked up

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: