Solved: ACS 5.x with either AD or RSA Authentication depending on user - Page 2

timsilverline · ‎01-23-2013

I am trying to implement RSA two-factor authentication for our company for access to secure resources.

Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.

I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.

We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.

I cannot figure out how to configure this. With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against. Not as easy with 5.x

I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found. This broke VPN completely.

From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.

Anyone know how to accomplish this?

I am running 5.4 with the latest patches.

timsilverline · ‎01-29-2013

I was able to get RSA and AD authentication working fine with the timeout set to 5 seconds and all is working now.

I am confused on why thie timesout setting is required though.

Can anyone help to clarify why this is needed? Is it just a bug that I am working around by changing the timeout?

Thanks for your help guys. Much appreciated.

jrabinow · ‎01-29-2013

Not suprised

This is still a work around and means system is working in one of two ways

- valid user / password: positive response immediately

- invalid user/password: response from RSA appears to be received but does not seem to get flushed/processed until timeout occurs

In means in case of failures processing is taking longer than it should and not sure of can clearly distnguish all cases including a real timeout from server

Worth still digging some more to undelying causes and also debug from RSA side

timsilverline · ‎02-06-2013

When you say Not Surprised is that because this sort of timeout behavior is expected? I have sent logs to RSA and am waiting on their response.

In the meantime, during further testing I found a flaw in my current design....

Succesful Authentication works properly for users as intended.

However, I have found that when using the elevated privilege level account, if I enter the AD password for this account, after RSA authentication fails it still successfully authenticates the end users against AD afterwards and they end up being given the same network access.

The way I have it setup right now is Authorization Profiles are tied to AD group memberships. So even though I have users authenticating against RSA, RSA is still checking against AD for these user accounts, and ACS is still using their group membership from AD to determine which Authorization Profile to provide to the user.

I don't see how else I can set this up to get it working anymore. If I can't base the Authorization Profile on AD group, or NDG device, I can't figure out how to change their authorization profile to know that this user was authenticated against RSA and use the proper profile.

Any idea how I can accomplish this?

jrabinow · ‎02-07-2013

I am not sure I haev all the details of the issue but I think there is an additional attribute that defines the name of the external store that was authenticated against. Variable is called "AuthenticationIdentityStore" and is in system dictionary. In fact this is last database that was used to check authentication. In case authentication passed it will in fact be the database against which authentication passed

Therefore, best conditon to use is ("System:AuthenticationIdentityStore" equals "RSA" ) and ("System:AuthenticationStatus" equlas "AuthenticationPassed" )

This will check if authentication was done against RSA

timsilverline · ‎02-07-2013

Thanks again jrabinow. That was the exact attribute I had been looking for. It doesn't show up as an option when you just click customize. You have to select Compound Condition when you customize and then select the System variable from that option, and then select its options to see this attribute. It is buried more than the others it seems.

In any event, all authentication is working successfully right now with the timeout set to 5.

Still waiting on feedback from RSA engineering

aamadulin.accenture · ‎04-21-2014

Hope you're well!

I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.

Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result

1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.

2. Enable password is not working (using the same user password configured in MS AD.

3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.

Switch Tacacs Configuration

aaa new-model

!

aaa authentication login default none

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec ACS group tacacs+ local

aaa authorization commands 15 ACS group tacacs+ local

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+

aaa authorization console

!

aaa session-id common

!

tacacs-server host 10.X.Y.11

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key gacakey

!

line vty 0 4

session-timeout 5

access-class 5 in

exec-timeout 5 0

login authentication ACS

authorization commands 15 ACS

authorization exec ACS

accounting commands 15 ACS

accounting exec ACS

logging synchronous

This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.

Regards,

cooldpsingh · ‎09-17-2015

Hi,

I am facing the same issue while using RSA as primary identity and Internal Users as secondary.

I have configured identity sequence and same I have used in default device admin profile with single rule instead of role based identity and in advance option I have used continue when user not found but its not working in that way....Plz suggest me what best coniguration I can do for using RSA as primary and Internal database as secondary or if possible gourp wise policy that this group should go to RSA and other group should go to internal users for authenication.....