cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Configuration Example - Cisco ACS 5.x integration with RSA SecureID Token server

15159
Views
10
Helpful
1
Comments

 

 

Introduction

This Document is created by TAC Expert from AAA team Anubhav Gupta. 

ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication consists of the user's personal identification number (PIN) and an individually registered RSA SecurID token that generates single-use token codes based on a time code algorithm.

A different token code is generated at fixed intervals (usually each at 30 or 60 seconds). The RSA SecurID server validates this dynamic authentication code. Each RSA SecurID token is unique, and it is not possible to predict the value of a future token based on past tokens. 

Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that the person is a valid user. Therefore, RSA SecurID servers provide a more reliable authentication mechanism than conventional reusable passwords.

You can integrate with RSA SecurID authentication technology in any one of the following ways:

•Using the RSA SecurID agent—Users are authenticated with username and passcode through the RSA's native protocol.

•Using the RADIUS protocol—Users are authenticated with username and passcode through the RADIUS protocol. 

RSA SecurID token server in ACS 5.3 integrates with the RSA SecurID authentication technology by using the RSA SecurID Agent. 

Configuration on RSA Server

Creating and Editing RSA SecurID Token Servers

ACS 5.3 supports RSA SecurID Token Servers for authenticating users for the increased security that one-time passwords provide. RSA SecurID token servers provide two-factor authentication to ensure the authenticity of users.

To authenticate users against an RSA identity store, you must first create an RSA SecurID Token Server in ACS and configure the realm, ACS instance, and advanced settings.

ACS 5.3 supports only one RSA realm. You can configure the settings for the RSA realm. A single realm can contain many ACS instances.

Step 1: RSA administrator needs to create something called “Authentication Agent”. This is basically a DNS name and IP address of a device/software/service that has rights to access RSA database. For our needs, RSA admin has to create two agents for our two ACS instances. Within “RSA Security Console”, under the “Access->Authentication Agents->Add New”.

1.jpg 

Step 2: RSA admin creates two agents. In the “Add New Authentication Agent” window, admin needs to fill just a few fields in:

2.jpg

Both DNS forward and reverse lookups for ACS agents should work. The agent type is “Standard Agent”:

3.jpg

This is what we will see after adding agents:

4.jpg

Step 3: RSA admin needs to generate and export “sdconf.rec” configuration file. This file basically describes RSA topology and communication:

5.jpg

The default values can be used:

6.jpg

Step 4: Now admin downloads this configuration file.

7.jpg

 This .ZIP file contains actual configuration or “sdconf.rec” file. This file is needed by ACS admin to complete his/hers tasks.

Configuration on the ACS 5.x server

Step 1: On ACS 5.x under the “Users and Identity Stores->External Identity Stores->RSA SecurID Token Servers” admin clicks “Create”:

8.jpg

Step 6: Give the name of RSA server and then Browse the “sdconf.rec” file that was downloaded from the RSA server.

9.jpg

 After a file is selected, admin clicks “Submit”. 

Note: Now first time the ACS contacts token server, another file called a “node secret” will be created for agent (ACS) on RSA AM and downloaded to the ACS. This file is used for encrypted communication.

Troubleshooting

Verification of successful Login.

ACS-->Hit count

10.jpg

 OR

Second From the ACS logs:

11.jpg

On RSA server 

12.jpg 

More details

For one-time password authentication, ACS 5.3 supports the RSA SecurID native interface by configuring RSA SecurID Token Servers. For non-RSA one-time password servers, RADIUS interaction can be configured using the RADIUS Identity Server option.

Migration Notes

See System Administration > Configuration > Global System Options > RSA SecurID Prompts to configure RSA SecurID prompts.

Configuring RSA SecurID Agents

  • The RSA SecurID Server administrator can do the following:
  • Create an Agent Record (sdconf.rec)
  • Reset the Node Secret (securid)
  • Override Automatic Load Balancing
  • Manually Intervene to Remove a Down RSA SecurID Server

Create an Agent Record (sdconf.rec)

To configure an RSA SecurID token server in ACS 5.3, the ACS administrator requires the sdconf.rec file. The sdconf.rec file is a configuration record file that specifies how the RSA agent communicates with the RSA SecurID server realm.

In order to create the sdconf.rec file, the RSA SecurID server administrator should add the ACS host as an Agent host on the RSA SecurID server and generate a configuration file for this agent host.

Reset the Node Secret (securid)

  • After the agent initially communicates with the RSA SecurID server, the server provides the agent with a node secret file called securid. Subsequent communication between the server and the agent relies on exchanging the node secret to verify the other's authenticity.
  • At times, you might have to reset the node secret. To reset the node secret:
  • The RSA SecurID server administrator must uncheck the Node Secret Created check box on the Agent Host record in the RSA SecurID server.
  • The ACS administrator must remove the securid file from ACS.

Override Automatic Load Balancing

RSA SecurID Agent automatically balances the requested loads on the RSA SecurID servers in the realm. However, you do have the option to manually balance the load. You can specify which server each of the agent hosts must use and assign a priority to each server so that the agent host directs authentication requests to some servers more frequently than others.

You must specify the priority settings in a text file and save it as sdopts.rec, which you can then upload to ACS.

Manually Intervene to Remove a Down RSA SecurID Server

When an RSA SecurID server is down, the automatic exclusion mechanism does not always work quickly. To speed up this process, you can remove the sdstatus.12 file from ACS.

 

Scenario 2:

Problem:

  • does anyboby know if RSA AM 8.x is supported by ACS 5.5 ?
  • I didn't find a supported RSA Version in Documentation/Release Notes.
  • I imported sdconf.rec von RSA AM 8.1 in external identity store config but node secret will not be created/exchanged.
  • Authentication fails with "Authentication method not supported" on RSA.

Solution:

ACS 5.5 supports RSA ACE/Server 6.xSeries RSA Authentication Manager 7.x Series RSA 8.

I think the information you are looking for below:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/device_support/sdt55.html#pgfId-73364

RSA Authentication Manager 7.x Series

 

Reference

Comments
Beginner
After configuring the RSA appliance and the ACS, what configuration changes are required on the devices? Can you provide a sample? Thanks,