VPN, PIX,TACACS and RSA

Unanswered Question
Oct 8th, 2007

Hi, currently our cisco vpn connections to our pix are authenticated by our TACACS server. I am trying to implement RSA secure ID by using the ACS as an agent. This part works fine, when I did a test authencation with rsa it asked to me create a pin. I am now able to authenticate via vpn with my ACS username and pin/token in the password box. However I dont know how to roll this out to users as I was expecting the cisco vpn client to ask any new users to create a pin, or to have a pin box ? Any ideas will be very appreciated.

many thanks

nicky

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Mon, 10/08/2007 - 03:46

Sorry, Im confused - you said in your test the vpn client asked you to enter a new pin via TACACS?

Isnt that what you want?

nickyh_is Mon, 10/08/2007 - 04:36

sorry, the test was done with the 'authentication test' facility in the rsa authentication agent that I have installed on the TACACS server.

Jagdeep Gambhir Mon, 10/08/2007 - 05:37

It seems that the new PIN mode is not working and users are not able to authenticate.

I have found a bug relating to the issue. Bug ID :CSCsd41866

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd41866&Subm

it=Search

Patch can be downloaded from, http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

File name : ACS-4.0.1-RSA-SW-CSCsc12614-CSCsd41866.zip

ACS-4.0.1-RSA-SW-CSCsc12614-CSCsd41866.txt

Regards,

~JG

Please rate helpful posts

nickyh_is Tue, 10/09/2007 - 00:15

Thank you for your reply, I have installed the patch but unfortunatly I still cannot get the vpn client to ask me to enter a pin :-(

kevin.jones1 Tue, 10/09/2007 - 10:10

I've done quite a bit of Cisco ACS 4.1 and

RSA Securid version 6.2. I think I can help

you with this:

1) install Win2k3 Enterprise Edition with

service pack 2 on a dedicate machine or

vmware if you like,

2) run dcpromo to promote the box to be Active

Directory server if you want integration with

LDAP,

3) install RSA SecurID version 6.2 on the

same server in step 2,

4) install Cisco ACS 4.1 on the same server

listed in step 3,

5) http://127.0.0.1:2002 to log into the ACS

6) create an agent host for the Cisco ACS

and generate the sdconf.rec file. Place

this file under \windows\system32 directory,

7) Under the External database, you should see

something like unknown policy. database

group mapping, you should be asked if the

user is not found, what you should do. At

this point, configure it for RSA SecurID.

Keep clicking, you will see something about

dll file stuffs, it means your SecurID

is properly configured.

8) under the user group, rename group1 to

RSA SecurID.

9) Go back to External database section,

in there you will be able to map SecurID group

in step 8 to RSA SecurID. Remember that this

is dynamic mapping. In other words, these

users are dynamic created.

10) go through the process of creating network

devices, make sure you have the right ip

addresses of the network device, pre-share

key, etc...

11) restart Cisco ACS services.

Here is an example:

[[email protected] root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

User Access Verification

Username: test3

Password:

Do you want to enter your own pin? (y or n) [n]

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

C2960>

Now go back to the ACS and click on the

users tab, you will see test3 as a

"dynamic" user.

One thing to be aware of. I do not believe

Pix 6.x code is capable of changing

the RSA PIN from the vpn client. Pix 7.x

code is definitely capable of doing that.

Same thing with the VPN concentrator.

Version 4.7.x will let you do that from

the VPN client.

It looks to me that you've configured the RSA

and the ACS correctly. it is a matter of

using the right software on the

Pix and VPN concentrator.

Good luck

Kevin- CIE Security

nickyh_is Wed, 10/10/2007 - 02:17

Thanks very much for the reply. I will try following your steps. Howvever, I have now configuring my pix vpn to authenticate directly to the rsa server instead of tacacs

aaa-server testrsa-native protocol sdi

reactivation-mode timed

aaa-server testrsa-native host 172.16.17.10

retry-interval 3

timeout 13

Now the vpn client asks for username and passcode (with acs it asked for password) I enter my token code but I still dont get the box asking me to create the pin ? It just fials and the rsa log shows 2 messages, passcode accepted, new pin required. Then ACCSS denied, new pin deffered. Am I missing something ? I have pix712 and vpn4.8 ?

thanks again for your help

darpotter Wed, 10/10/2007 - 03:55

Could it be the VPN client isnt capable of handling the challenge/response correctly? ie its a username+password fire once only client?

A simple test, if you can get an ascii terminal login to the PIX (or any IOS device) authenticated by RSA via ACS that includes new pin mode - then everything on the ACS/RSA side must be working.

You could even try the ACS "tactest" program to mimick the IOS device. This lives in the bin folder and you need to add a T+ nas to ACS with the local ip address. You then run

tactest -H 127.0.0.1 -k secret

TACACS>

Commands available:

authen action type service port remote [user]

action

type

service

author arg1=value1 arg2=value2 ...

acct arg1=value1 arg2=value2 ...

TACACS> authen login ascii login tty0

Username: rsausername

Password: pin+token

Authentication succeeded :

TACACS>

In your case there would also be the new pin exchange tagged on the end.

nickyh_is Wed, 10/10/2007 - 06:08

good news is, the tactest worked exactly as it should with the new pin prompt. Thanks for that.

not sure what to do now, my telnet to my pix is also not displaying the correct prompt. Just username and password (the password works once I have created a passcode)

Many thanks

nickyh_is Wed, 10/10/2007 - 08:29

I have just upgraded my testpix to 722 and looks like this has resolved the issue. I did a telnet and got the pin prompt, yehh!! cant test the vpn yet though as this is on a live pix which i cant upgrade.

thanks for your help with this

nicky

Actions

This Discussion