cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
5
Helpful
5
Replies

ACS 4.0 and RSA Token Server problem

john.dowson
Level 1
Level 1

Hi,

We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.

Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.

I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.

When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.

After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.

Any help or advice appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

View solution in original post

5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

Hi,

The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.

Following link talks about the same.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733

Regards,

~JG

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

darpotter
Level 5
Level 5

Hi

This is because LEAP requires MSCHAP which in turn requires access to either the plain text password or a hash of it. So you can see how this would be hard to do with RSA.

To use RSA with WLAN you need to look at EAP-PEAP/FAST where the RSA token can be carried inside in the encrypted tunnel.

Ahhh... Thank you! I will give EAP-PEAP/FAST a try.

darpotter
Level 5
Level 5

oops... double hit the return key!