12-10-2009 11:02 AM
Hi,
We need to run the following scenario:
Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server
The CAT Authentication Server is a Radius Server. It can receive Radius Authentication requests and respond. It is used for TFA OTP strong authentication in a similar way to the RSA OTP Tokens.
The question is: How do we configure the ACS 4.2 to delegate the Authentication Request to another Radius server.
Thnx
Solved! Go to Solution.
12-10-2009 01:24 PM
Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).
Easy as pie!
Please rate if this is helpful.
12-10-2009 02:54 PM
You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.
Cheers,
Tim
12-10-2009 01:24 PM
Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).
Easy as pie!
Please rate if this is helpful.
12-10-2009 02:03 PM
Hi Tim,
Thanks.
Just to be sure - when you add a new External Database - you are defining a Radius server ? That's the Radius server IP and shared secret. right ?
Is there a Cisco document that describes the process and/or a step by step instructions ?
I'm asking, because I don't have the Cisco installed at our server, it is installed at a customer of ours and I need to be sure.
You know how customers are...
Many thanks.
12-10-2009 02:18 PM
Tim,
One more thing.
Please notice that we do not use RSA, we have a Radius server like FreeRadius for example.
Thanx
12-10-2009 02:54 PM
You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.
Cheers,
Tim
12-10-2009 03:10 PM
Many thanks !!! much appreciated.
02-29-2012 12:44 AM
Hi,
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Any help on this would be really grateful to me.
Thanks and Regards,
Rahul.
12-11-2009 08:59 AM
Hi Tim,
We have already tried configuring RADIUS Token Server External User Database connector, but it didn’t work.
Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?
Thanks
12-11-2009 10:17 AM
Hi Arnnei,
I have a Windows Connector and a RSA SecurID Connector at the same time and they work fine. Can you please specify what didn't work? You need to be sure to add the ACS Server as a RADIUS Device on the RADIUS server so it can talk, and make sure RADIUS is open on the firewall between the two devices. Hook up a sniffer (wireshark/etc) and see if the packets are going to the RADIUS server. If they are, then the configuration issue is on the RADIUS side. If not, then something is wrong on the ACS Side.
You must ensure that a user has been created and has the RADIUS server in the Password Authentication box under the User Setup section.
Please check those things and respond.
Thanks,
Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide