ACS 4.0 and RSA Token Server problem

Answered Question

Hi,

We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.

Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.

I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.

When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.

After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.

Any help or advice appreciated.

Thanks

I have this problem too.
0 votes
Correct Answer by darpotter about 9 years 3 months ago

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
darpotter Fri, 08/17/2007 - 06:08

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

darpotter Fri, 08/17/2007 - 06:04

Hi

This is because LEAP requires MSCHAP which in turn requires access to either the plain text password or a hash of it. So you can see how this would be hard to do with RSA.

To use RSA with WLAN you need to look at EAP-PEAP/FAST where the RSA token can be carried inside in the encrypted tunnel.

Actions

This Discussion