Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
5
Helpful
9
Replies

VPN and Wireless authentication through ACS 5.4

Go to solution
Anand Thakur
Level 1
Level 1

‎02-25-2013 11:47 PM - edited ‎03-10-2019 08:08 PM 

Hello,

I am  in the process of migrating from ACS 4.1.1.23 to ACS 5.4.
I have migrated our users and Network Device Groups and configured external Identity
stores like AD and RSA.
I want to authenticate our Wireless users with AD and VPN users through RSA.
I am unable to create policies to get this UP and working. I need help in this
regarding the policy creation.

As I am new to the ACS 5.4 any help with the step by step configuration of the WLAN and VPN 
authentication will be appreciated.

Thanks in advance.


Regards,

Anand
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎02-26-2013 02:26 AM

This can be done by creating two Access Services: one that authenticates against AD and one against RSA.

Then need to create Service Selection policy that will have as a result one of these two services. One possibility could be NAS-Port-Type in RADIUS dictionary which should be "Wireless - IEEE 802.11"

View solution in original post

Go to solution
jrabinow
Level 7
Level 7
In response to Anand Thakur

‎02-28-2013 04:39 AM

In order to work with RSA you need to do the following:

- Define the ACS servers on the RSA server

- Export the sdconf.rec file from RSA

- Include the sdconf.rec as part of the RSA definition on ACS

View solution in original post

0 Helpful
9 Replies 9

Go to solution
jrabinow
Level 7
Level 7

‎02-26-2013 02:26 AM

This can be done by creating two Access Services: one that authenticates against AD and one against RSA.

Then need to create Service Selection policy that will have as a result one of these two services. One possibility could be NAS-Port-Type in RADIUS dictionary which should be "Wireless - IEEE 802.11"

Go to solution
Anand Thakur
Level 1
Level 1
In response to jrabinow

‎02-26-2013 11:08 PM

Hello,

Thanks a lot. I am trying it now.

While creating Access Services which allowed protocols should be used for RSA authentication?

Any other specifications if i need to add please let me know.

0 Helpful

Go to solution
Anand Thakur
Level 1
Level 1
In response to Anand Thakur

‎02-28-2013 03:09 AM

Thanks it worked.

I am now able to get authentications of Network devices through TACACS and WLAN through RADIUS.

I am stuck at RSA as i am not sure if RSA 6.1 is compatible with ACS 5.4.

Can i get some insight on this?

Please help.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Anand Thakur

‎02-28-2013 04:39 AM

In order to work with RSA you need to do the following:

- Define the ACS servers on the RSA server

- Export the sdconf.rec file from RSA

- Include the sdconf.rec as part of the RSA definition on ACS

0 Helpful

Go to solution
Anand Thakur
Level 1
Level 1
In response to maldehne

‎03-04-2013 11:12 PM

Thanks RSA authentication for VPN and AD authentication for WLAN is now successfully. Also i am successful in getting the device authentication through both RSA and internal password.

Now i want to configure DACLs for VPN users. i have internal user groups with internal users mapped to them. but the authentication is through RSA and i want to apply DACL to the specific groups.

How can i get this done?

Thanks in advance

0 Helpful

Go to solution
maldehne
Cisco Employee
Cisco Employee
In response to Anand Thakur

‎03-04-2013 11:17 PM

You need to configure a Rule in the authorization policy where the condition is the group matching the one you need , and then you can assign authorization profile with ACL you want.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Anand Thakur

‎03-04-2013 11:25 PM

I am wondering how many different indetity groups you have that you want to assign DACLs for

A key thing is to ensure that even when authentication is against RSA that identity groups are retrieved

In order to ensure this you should define an identity sequence including RSA and internal users that use as the result of the identity policy instead of just RSA

Do this as follows:

Users and Identity Stores > Identity Store Sequences > Create

- select "Password Based" and select RSA in "Authentication and Attribute Retrieval Search List"

- select "Internal Users" in "Additional Attribute Retrieval Search List"

This means that authentication will be done against RSA but internal user attributes will also be retrieved in this case

Therefore, irrespective of whether authenticaiton is against RSA or "Internal Users" the internal user attributes will be available to be used in authorization rules

0 Helpful
Customers Also Viewed These Support Documents