cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
5
Replies

ACS authentication with RSA 6.1

it-ops-ne
Level 1
Level 1

I want to use our production RSA server to authenticate users on Cisco device's for authorization. I need to find out how to setup the ACS and RSA so I can pass all user requests to RSA. I have ACS 1113 running 4.0?

Many thanks in advance.

5 Replies 5

darpotter
Level 5
Level 5

For the ACS appliance you have to configure the "Generic RADIUS" external authenticator to point at the RSA server.

On the RSA server you must also setup the RSA RADIUS front end.

FWIW, with the S/W ACS you dont need to do that because ACS can use the RSA client DLL to talk direct to RSA.

Darran

Darran,

Thanks for the reply.

I am able to get RSA to authenticate my user account, but now, can I dynamically assign users to proper groups based on AD group membership. Can I even do such a thing: check the group membership in AD and use RSA token for authentication.

Currently ACS only lets me choose one group where I can have all my RSA users in.

Unfortunately not.

This ability was being designed into ACS XA but that project got canned.

I doubt ACS v5.0 will be that flexible.

The only workaround I have found is manually mapping users to a different group once they have been cached in ACS. It does not scale to large environments, but if you have a static batch of users, it may work.

Thanks everyone for your replies.

I finally remembered how I had accomplished this in the past. The reason I had asked was once I had done this scenario at a client site, but could not remember it. Over the weekend it finally came back to me. At this client site, I did not have an appliance, I had ACS for windows, and we had made the server a member server of the domain, it was able to grab all the AD groups, and we then sent the authentication to an RSA server. Plus dynamically map them to group in ACS.

Now since we have an appliance, I can?t have the ACS grab AD groups and authenticate against RSA.

This bites.... :(

Thanks again everyone. If anyone comes up with an alternative or a solution please let me know.