Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
5
Replies

ACS authentication with RSA 6.1

it-ops-ne
Level 1
Level 1

‎09-20-2006 08:07 AM - edited ‎03-10-2019 02:45 PM

I want to use our production RSA server to authenticate users on Cisco device's for authorization. I need to find out how to setup the ACS and RSA so I can pass all user requests to RSA. I have ACS 1113 running 4.0?

Many thanks in advance.

Labels:
0 Helpful
5 Replies 5

darpotter
Level 5
Level 5

‎09-21-2006 03:05 AM

For the ACS appliance you have to configure the "Generic RADIUS" external authenticator to point at the RSA server.

On the RSA server you must also setup the RSA RADIUS front end.

FWIW, with the S/W ACS you dont need to do that because ACS can use the RSA client DLL to talk direct to RSA.

Darran

0 Helpful

it-ops-ne
Level 1
Level 1
In response to darpotter

‎09-22-2006 10:40 AM

Darran,

Thanks for the reply.

I am able to get RSA to authenticate my user account, but now, can I dynamically assign users to proper groups based on AD group membership. Can I even do such a thing: check the group membership in AD and use RSA token for authentication.

Currently ACS only lets me choose one group where I can have all my RSA users in.

0 Helpful

darpotter
Level 5
Level 5
In response to it-ops-ne

‎09-22-2006 11:58 AM

Unfortunately not.

This ability was being designed into ACS XA but that project got canned.

I doubt ACS v5.0 will be that flexible.

0 Helpful

ethiel
Level 3
Level 3
In response to it-ops-ne

‎09-23-2006 06:10 PM

The only workaround I have found is manually mapping users to a different group once they have been cached in ACS. It does not scale to large environments, but if you have a static batch of users, it may work.

0 Helpful

it-ops-ne
Level 1
Level 1
In response to ethiel

‎09-25-2006 04:45 AM

Thanks everyone for your replies.

I finally remembered how I had accomplished this in the past. The reason I had asked was once I had done this scenario at a client site, but could not remember it. Over the weekend it finally came back to me. At this client site, I did not have an appliance, I had ACS for windows, and we had made the server a member server of the domain, it was able to grab all the AD groups, and we then sent the authentication to an RSA server. Plus dynamically map them to group in ACS.

Now since we have an appliance, I can?t have the ACS grab AD groups and authenticate against RSA.

This bites.... :(

Thanks again everyone. If anyone comes up with an alternative or a solution please let me know.

0 Helpful
Customers Also Viewed These Support Documents