Does anyone have experience with setting up the following scenerio? We have an ACS 5.1 server that we would like to use RSA
secure ID tokens with. Followed the config guide but still cant get it working.
Any methodology to test if the two are even communicating?
ACS supports several RSA key sizes used in the certificate that are 512, 1024, 2048, or 4096 bits. Other key sizes may be used. ACS 5.1 supports RSA. ACS does not support the Digital Signature Algorithm (DSA), however, in some use cases, ACS will not prevent DSA cipher suites from being used for certificate-based authentication.
You might be able to get a hold of RSA Authentication Manager by asking for
a demo from RSA directly.
if i understand you correctly, you want to use PEAP-GTC.
means using the WPA1/2 + TKIP / AES for encryption and OTP as password.
in order to do that there are two ways:
1. install the PEAP-GTC from cisco wireless client package, (then it will replace the ms PEAP with Cisco). - no need cisco adapter. intel works fine.
2. Use IPASS client, but you need license / agreement
but do it carefully in seperate enviroment since sometimes this package cause BSOD.
In order to get ACS 5.1 to work with SecurID you need to do the following:
1. Get the sdconf.rec file from the RSA server
2. Add the ACS server to the allowed list to be able to send auth requests to the system
1. Go to Users and Identity Stores > External Identity Stores > RSA SecurID Identity Stores > Create
2. Give it a name, upload your sdconf.rec file, configure any special stuff you want (up to you)
3. Go to Identity Store Sequences > Create
4. Give it a name, Select Password Based (your RSA stuff should now show up), select your RSA auth, and select any additional attributes you want added (internal users, host, nac
5. Go to Access Policies > Default (either one) > Identity > select your newly created Identity store > save
I know it's brief, but I got hung up on the 4th step with clicking on the Password Based part in the Identity Store Sequences. I did get RSA auth working correctly with the above. My issue is now trying to specify RSA auth for some users and static passwords for others. Tough part for me is that I have to have all the users defined in the system (RSA and local), but I can't figure out how to do this.
Hope that helps get your RSA working.
Have you got your ACS 5.1 and RSA SecureID server working?
I'm still in the process of setting it up with our RSA server admin.
My questions are:
1. How do I know if ACS is talking to RSA? I created the Identity Store, however didn't know if it's working.
2. Is it possible for ACS to query group membership on RSA, so I can authorize users based on their group?
I did get it working. I had to wait for the RSA administrator to add both of my devices to the RSA server's config.
1. I really have no idea how to tell if the ACS is talking to the RSA server. The only way I could test if it was working was to successfully auth the the system using the SecurID. I wish there were a troubleshooting tool on the ACS to actually test a FOB against the RSA server directly. On our 4.2 systems we have the RSA agents installed and can auth against the RSA system directly. That helps to troubleshoot.
2. I'm not sure about this one. I know our company's RSA server only gives us a passed auth or failed auth response, so I'm not sure if you can do that. Maybe someone who has some more hands-on with RSA could chime in here, please.
It wasn't so tough getting it set up, but the hard part for me was using two forms of auth - local and RSA. I had to match on specific parameters to make it work. I like this product in ways, but miss some of the simplicity of the 4.2 system.
I have a similar sitauation like - local and RSA, right now its ACS 4.2 and some of the users are authenticated through RSA and some with ACS local database, now the migration came up with 5.1 and was looking into the configuration, can u explain in clear text that how i can configure the ACS 5.1 to use both the authentications local and RSA.
I created an Identidy store sequence with Internal Users first and RAS second. In Access Policies, pick this Identidy Store, and in Advanced Options, choose continue for "If user not found". Under Authorization, I put the rules for Internal Users first and RSA second. If user is not found in Internal, then it will continue authorize to RSA. Remember the sequence of the rules are very important. Hopt this helps.
I'm in the midst of deploying the same solution as well. I can't seem to get mine working. Please kindly assist me, if you have the working steps?
Here you go,
First:- you should add Cisco ACS as the Radius client in RSA.
Second:- Then generate the cofiguration file from RSA:- Security Console-->Access-->Authetication agents-->generate configuration file.
Third:- Import this configuration file in cisco ACS:-Users and Identity Stores --> External Identity Stores --> RSA SecurID Token Servers--> Create-->RSA Realm (Tab)
Enter whatever name you want.
At the bottom there is an option "Import new"sdconf.rec" file".
Import the above generated file from RSA and you are done.
Remember the process in Cisco ACS 5.3 is very simple, just define the Radius identity stores (You will not see this option in 5.0/.1) as the RSA servers and define cisco ACS as the client in RSA. thats it.
Thanks for the advice. I'll do this when I'm in the office tomorrow. Just to inquire, assuming after I have done the steps you've advice, and it still doesn't work. Is there any debug commands that I can run on the Cisco ACS 1121 v5.3 to verify if the root cause is the ACS settings or the RSA Manager settings.
This is because without this debug commands, the RSA vendor is surely gonna say that this is not the fault of the RSA, and it's the fault of the ACS.... and the ACS vendor is gonna blame the RSA settings etc, if you know what I mean.
Basically, how do I troubleshoot this, if the steps given still doesn't work?
After all these steps, when you create user in the ACS just make sure that you select the password type as "RSA authentcation"
Since Radius uses UDP you cannot check through telnet, the best thing is to go to the monitoring and reporting section of ACS and check out the authentication RADIUS Today logs. Second open the authentication activity monitor from RSA as well to check the live authentications.
Make sure you allow 1812 (Auth) and 1813 (Acct) ports if there is any firewall between ACS and RSA.
it might take some time to get the debug logs "debug-log "from ACS since it generates a lot of junk logs, best thing check monitoring and reporting through GUI.
Hopefully works with no issues....
I've created another support forum case for my issue. could you assist me there. afterall this case here belongs to rudy faber :-)