08-17-2007 05:01 AM - edited 03-10-2019 03:20 PM
Hi,
We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
Any help or advice appreciated.
Thanks
Solved! Go to Solution.
08-17-2007 06:08 AM
no no no no! NEVER use RSA with WIFI + PAP.
The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.
08-17-2007 05:47 AM
Hi,
The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
Following link talks about the same.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
Regards,
~JG
08-17-2007 06:08 AM
no no no no! NEVER use RSA with WIFI + PAP.
The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.
08-17-2007 06:04 AM
Hi
This is because LEAP requires MSCHAP which in turn requires access to either the plain text password or a hash of it. So you can see how this would be hard to do with RSA.
To use RSA with WLAN you need to look at EAP-PEAP/FAST where the RSA token can be carried inside in the encrypted tunnel.
08-17-2007 06:10 AM
Ahhh... Thank you! I will give EAP-PEAP/FAST a try.
08-17-2007 06:06 AM
oops... double hit the return key!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide