Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2069
Views
0
Helpful
1
Replies

Cisco ISE and RSA SecureID Integration for network device auth

Luffy120
Level 1
Level 1

‎11-21-2022 03:37 AM

Hi,

I'am trying to integrate ISE 3.1 with RSA Authentication Manger v8.3

The idea is that the administrator connects to a given cisco router/switch, the net device for a lab (cisco router) has aaa configured with a TACACS+ server whose IP is pointing to ISE. And on the ISE the police set/identity sequence allows logging in or not. Depending on whether the username and password match what is on the SecureID server.

I got a properly prepared sdconf.rec file from the administrator which I added to the ISE and configured a simple police set which, in the event of a match, is supposed to allow login.

Unfortunately at the moment this does not work, I have checked with tcpdump and on the firewall which is on the way and the traffic between ISE and RSA server does not appear at all.

The logs tell me that the problem is somewhere on the ISE - "RSA request is declined, because RSA agent initialization has failed - RSA SecurID".

13013Received TACACS+ Authentication START Request
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - DEVICE.Device Type
 15041Evaluating Identity Policy
 22072Selected identity source sequence - All_User_ID_Stores
 15013Selected Identity Source - RSA SecurID
 13044TACACS+ will use the password prompt returned by the identity store
 13015Returned TACACS+ Authentication Reply
 13014Received TACACS+ Authentication CONTINUE Request
 15041Evaluating Identity Policy
 22019Identity Policy was evaluated before; Identity Sequence continuing
 15013Selected Identity Source - RSA SecurID
 24500Authenticating user against the RSA SecurID Server - RSA SecurID
 24560Searching for user record in RSA identity store Passcode cache - RSA SecurID
 24562User record was not found in Passcode cache - RSA SecurID
 24551RSA request is declined, because RSA agent initialization has failed - RSA SecurID
 24503Cannot establish a session with the RSA SecurID Server - RSA SecurID
 22059The advanced option that is configured for process failure is used
 22062The 'Drop' advanced option is configured in case of a failed authentication request
 5412TACACS+ authentication request ended with error

Plase help with the answer where the problem may lie. I created the configuration according to https://community.rsa.com/t5/securid-integrations/authentication-agent-configuration-cisco-ise-rsa-ready-securid/ta-p/559403

Best regards

Labels:
0 Helpful
1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎11-24-2022 10:52 AM

Hi @Luffy120,

Based on provided message "RSA request is declined, because RSA agent initialization has failed - RSA SecurID", it looks to me that ISE is not able to esablish connection to RSA server, thus no logs on FW along the path.

I would point my troubleshooting towards reconfiguration of ISE-RSA integration, like regenerate sdconf.rec file, checking DNS on both systems (are they able to resolve each other hostnames), and similar.

Based on provided logs, all other seams to be fine.

Kind regards,

Milos

0 Helpful
Customers Also Viewed These Support Documents