Cicso ACS with RSA SecureId Problem

Unanswered Question
Nov 22nd, 2007
User Badges:

I want to implement cisco secure access control system in a network environment that uses RSA secure id. i want to install cisco acs 4.1 .I found documentation how to connect external databases with rsa authentication manager in the rsa support web site . So considering the fact that there is no problem communicating between cisco acs and rsa , i realy have no idea what to configure on the clients. The Clients will be user based authenticated to the acs with the usability of a wired 802.1x solution , connecting to cisco switches , it will pass to acs , then to rsa auth manager , and then access the network services (dchp ip assignment , etc) The whole process must be transparent to the client . what should i do please help...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Atkin Thu, 11/22/2007 - 13:09
User Badges:
  • Silver, 250 points or more

Based on your description, I think you're talking about PEAP-GTC (aka PEAP v2).


Windows has no native support for OTP (One-Time Passwords; aka GTC = Generic Token Cards), so you'll need to install a supplicant program that is able to perform this function. In the past I've used things like Oddysey (spelling?) but there are lots of clients that will provide OTP support for you.


Obviously the amount of transparency you get from using OTP is much reduced - the user will need to enter the OTP at logon, in addition to their username & password.


On the WLC, it is important that you enable "Credential Caching" under the 'Security' tab. If you don't, the user will be required to enter the OTP every time they roam, which is never a good thing!



The alternative to PEAP-GTC is EAP-TLS, which is supported by windows, but instead of using an OTP key fob, you issue users with smart cards. The smart card is protected by a PIN, and contains a user-certificate, thus giving you the same levels of 'something you have + something you know' security, without the need for purchasing & supporting 3rd party software. The downside is that you really need to run your own CA, which many people don't / can't do.


If you're really paranoid, you should also allow Machine Authentication, and enforce Machine Access Restrictions. This means that even if somebody does work out all of the settings needed for the WLAN, plus they get a smart card & PIN, they still can't get their own laptop on to the network because the machine it's self is also required to authenticate its self.


I hope that helps, any more questions / information, please post and I'm sure somebody will help you out.


Rgds,

Richard

Actions

This Discussion

 

 

Trending Topics - Security & Network