Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
1
Replies

Cicso ACS with RSA SecureId Problem

stzil
Level 1
Level 1

‎11-22-2007 11:37 AM - edited ‎07-03-2021 02:59 PM

I want to implement cisco secure access control system in a network environment that uses RSA secure id. i want to install cisco acs 4.1 .I found documentation how to connect external databases with rsa authentication manager in the rsa support web site . So considering the fact that there is no problem communicating between cisco acs and rsa , i realy have no idea what to configure on the clients. The Clients will be user based authenticated to the acs with the usability of a wired 802.1x solution , connecting to cisco switches , it will pass to acs , then to rsa auth manager , and then access the network services (dchp ip assignment , etc) The whole process must be transparent to the client . what should i do please help...

Labels:
0 Helpful
1 Reply 1

Richard Atkin
Level 4
Level 4

‎11-22-2007 01:09 PM

Based on your description, I think you're talking about PEAP-GTC (aka PEAP v2).

Windows has no native support for OTP (One-Time Passwords; aka GTC = Generic Token Cards), so you'll need to install a supplicant program that is able to perform this function. In the past I've used things like Oddysey (spelling?) but there are lots of clients that will provide OTP support for you.

Obviously the amount of transparency you get from using OTP is much reduced - the user will need to enter the OTP at logon, in addition to their username & password.

On the WLC, it is important that you enable "Credential Caching" under the 'Security' tab. If you don't, the user will be required to enter the OTP every time they roam, which is never a good thing!

The alternative to PEAP-GTC is EAP-TLS, which is supported by windows, but instead of using an OTP key fob, you issue users with smart cards. The smart card is protected by a PIN, and contains a user-certificate, thus giving you the same levels of 'something you have + something you know' security, without the need for purchasing & supporting 3rd party software. The downside is that you really need to run your own CA, which many people don't / can't do.

If you're really paranoid, you should also allow Machine Authentication, and enforce Machine Access Restrictions. This means that even if somebody does work out all of the settings needed for the WLAN, plus they get a smart card & PIN, they still can't get their own laptop on to the network because the machine it's self is also required to authenticate its self.

I hope that helps, any more questions / information, please post and I'm sure somebody will help you out.

Rgds,

Richard

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card