PIX-535 RSA Secure ID config question

Unanswered Question
May 19th, 2008
User Badges:

I am trying to configure my PIX-535 to prompt for RSA Secure ID authentication.


So when somebody tries to get to a paticular website, the PIX-535 will put up a Secure ID page and forward the response to our RSA Secure ID server.


Any help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Fri, 05/23/2008 - 07:01
User Badges:
  • Silver, 250 points or more

RSA SecurID: Provides strong, two-factor authentication using tokens in conjunction with the RSA ACE/Server.RSA Keys-RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA keys come in pairs: one public key and one private key.

Sean,


I am not sure how you would do it for RSA - but to authenticate a HTTP/HTTPS request from inside out:-


access-list HTTP_authentication line 1 extended permit tcp x.x.x.x y.y.y.y 0.0.0.0 0.0.0.0 eq http


aaa authentication match HTTP_authentication Lan-2-Lan LOCAL(for local uid/pwd in the ASA) or you could have a set of authentication servers that you would name here.


The issue I see with trying RSA - is how the browser would send the information back to the ASA and then forward onto the securID server.


I do know that you can use "Challenge/Response Authentication - CRACK" for remote VPN connections, don't think you can use this for http auth.


HTH.

cisco24x7 Fri, 05/23/2008 - 10:44
User Badges:
  • Silver, 250 points or more

here is a typical scenario:


1- Install Cisco ACS on a server,

2- Install RSA SecurID on another Server,

3- create an agent host on the RSA SecurID Server for tthe Cisco ACS server. Generate

the sdconf.rec file for the Cisco ACS server,

4- copy the sdconf.rec file over to the Cisco

ACS server in the C:\Windows\System32 directory,

5- Install RSA Agent software on the Cisco

ACS server,

6- create account on the RSA SecurID Server,

7- setup Cisco ACS to forward authentication

request to RSA SecurID server,

8- setup the ASA like what Andrew described,

9- now from the client machine, do http://www.cisco.com. You will get prompted

for authentication,


That's pretty much it.



Attachment: 

Actions

This Discussion