ACS 4.2 and RSA SecurID in Next tokencode mode

vbroadwater · ‎01-13-2009

We're using ACS 4.2 for AAA for all of our Cisco devices. The ACS server uses our RSA SecurID server and it works great. Except when the token goes into next tokencode mode. Instead of being prompted for the next tokencode after a successful auth, it prompts for a password change.

Other devices using the SecurID server aren't having this problem, so I'm sure it has to do with the ACS. Had anyone else seen this sort of thing before?

Here's our setup:

ACS 4.2(0) Build 124 Patch 7

RSA Appliance 2.0.2 Auth Manager 6.1.2 (142)

jhillend · ‎01-13-2009

You are running into CSCsu29010. This is fixed with cumulative patch 6 and later.

jhillend · ‎01-13-2009

OK, just noticed you are running patch 7. I need to double check.

cisco24x7 · ‎01-13-2009

This is a KNOWN issue:

http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You run into something like this right:

[Expert@P1-NGx]# telnet 192.168.15.248

Trying 192.168.15.248...

Connected to 192.168.15.248.

Escape character is '^]'.

C

ACS Server version 4.2

Username: test1

Password:

Do you want to enter your own pin? (y or n) [n] y

it hangs after that correct?

According to RSA:

Known Issues

1. Force Authentication after New PIN (both System Generated and User Defined), does not function as designed. The user is immediately authenticated after selecting or entering a NEW PIN. Cisco has been notified as this is how Cisco ACS is currently processing NEW PIN requests.

vbroadwater · ‎01-13-2009

It's actually a little different than that. This is dealing with next tokencode mode, not new PIN mode yet. Here's what it looks like after a successful auth after next tokencode mode is activated:

Server requested password change

Password change request

Current password (blank for previously entered password):

When instead it should be prompting for the next tokencode. It's as if the ACS software doesn't know what next tokencode mode is or something. Doing a test from the RSA Security Center on the ACS server works out correctly.

I should probably note that we were experiencing the same issue with ACS 4.0. I was hoping that the upgrade and patch 7 would help but it hasn't.

cisco24x7 · ‎01-13-2009

do you setup the router to use Radius or TACACS?

I don't think next token code or next PIN mode

is supported with TACACS

vbroadwater · ‎01-14-2009

Our routers and switches use TACACS to the ACS server. If we have to switch to Radius, we've got a looooot of reconfiguring to do...

cisco24x7 · ‎01-14-2009

If you are using tacacs, you will not be able

to do this. This can be done only with radius,

to my knowledge.

By the way, say hi to all the ex "Digex" folks

for me.

vbroadwater · ‎01-14-2009

I'll do some testing with a switch to see if that does it. It's going to be a lot of no fun if that does it!

Next time I see one, I'll tell them you said hi. :)

vbroadwater · ‎01-22-2009

Ok, I finally had a chance to test out this theory. The good news (for me) is that there's no change. I'm still getting this prompt when in next tokencode mode instead of a prompt for the next tokencode:

Server requested password change

Password change request

Current password (blank for previously entered password):

That's only good news for me because it looks like I don't have to reconfigure a crazy amount network gear. The bad news is that we still don't have an idea of why this is happening.