09-25-2010 08:06 AM - edited 03-10-2019 05:26 PM
hi!
i'm trying to configure authentication rules, wherein the users would use their ACS 5.1 user accounts to login to devices, and have the enable password be authenticated via RSA.
i'm quite confused as to how to do this configuration in ACS 5.1.
i would like to know if anyone has experienced configuring RSA-based enable password authentication in in ACS 5.1?
thanks!
09-26-2010 10:27 PM
I have some ideas as to how to do this configuration. I have not tested this
Need to make an identity policy condition based on the service type and select either "Internal Users" for login requests and RSA for enable requests. Can do as follows:
1) Create a custom condition based on service type. Go to: "Policy Elements > Session Conditions > Custom. Crete a custom condition using the TACACS+ dictionary and the "Service" attribute
2) Modify your device administration identity policy to use this attribute. For example (if using policies as defined upon system installation) , go toAccess Policies > Access Services > Default Device Admin> Identity, select rule based table and "Customize" to chaneg the conditions in the table. Select the condition you created in step 1) for inclusion in the policy
3) can now create two rules in your identity policy. The first is if Service Type is "Login" to select "Identity Soure" of Internal Users. Second for Service Type of Enable to select RSA
09-28-2010 08:09 AM
hi jrabinow,
i tried your suggestion and it works fine up to telnet login only... when i get to the enable password authentication, it fails... i tried using both user password and rsa password, but still it won't get authenticated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide