Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
5
Helpful
5
Replies

ACS 4.0 and RSA Token Server problem

Go to solution
john.dowson
Level 1
Level 1

‎08-17-2007 05:01 AM - edited ‎03-10-2019 03:20 PM

Hi,

We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.

Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.

I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.

When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.

After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.

Any help or advice appreciated.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
darpotter
Level 5
Level 5
In response to Jagdeep Gambhir

‎08-17-2007 06:08 AM

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎08-17-2007 05:47 AM

Hi,

The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.

Following link talks about the same.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733

Regards,

~JG

0 Helpful

Go to solution
darpotter
Level 5
Level 5
In response to Jagdeep Gambhir

‎08-17-2007 06:08 AM

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

0 Helpful

Go to solution
darpotter
Level 5
Level 5

‎08-17-2007 06:04 AM

Hi

This is because LEAP requires MSCHAP which in turn requires access to either the plain text password or a hash of it. So you can see how this would be hard to do with RSA.

To use RSA with WLAN you need to look at EAP-PEAP/FAST where the RSA token can be carried inside in the encrypted tunnel.

Go to solution
john.dowson
Level 1
Level 1
In response to darpotter

‎08-17-2007 06:10 AM

Ahhh... Thank you! I will give EAP-PEAP/FAST a try.

0 Helpful

Go to solution
darpotter
Level 5
Level 5

‎08-17-2007 06:06 AM

oops... double hit the return key!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents