Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
8
Replies

Serious security issue with ACS 3.3 and RSA ACE Token Server

markus.ridder
Level 1
Level 1

‎06-19-2008 02:10 AM - edited ‎03-10-2019 03:55 PM

Hi all,

we have a seriuos security issue with an ACS 3.3 server on windows running in front of an RSA ACE/Token Server 6.0. We use this setup to authenticate VPN users coming in over ASAs and VPN-3000 concentrators.

After running some time the ACS stops authenticating users. But the authentication does not fail instead the ACS allows any user to connect succesfully. We traced the communication between the ACS and the RSA ACE and found that the ACS does not talk to the RSA server anymore, but nevertheless allows the users to connect. Whats even worse - the user can supply any token code - valid or not !

In summary the ACS allows any user to succesfully connect with in invalid token codes.

After stopping and restarting the services on the ACS anything works normally.

Any help is appreciated since this is a serious issue for us.

Kind regards

Markus

Labels:
0 Helpful
8 Replies 8

darpotter
Level 5
Level 5

‎06-19-2008 05:08 AM

Do you have token caching enabled in ACS?

0 Helpful

markus.ridder
Level 1
Level 1
In response to darpotter

‎06-19-2008 05:33 AM

Darran,

thanks for your reply.

But no, we do not use token caching.

- Markus

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to markus.ridder

‎06-19-2008 06:23 AM

Strange... what is the complete ver of acs and on which operating system & SP it is installed ?

Regards,

~JG

0 Helpful

markus.ridder
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-19-2008 06:38 AM

JG,

the ACS is V3.3(2) build 2 and it is running

on a Windows 2000 Server ServicePack 4.

RSA server version is 6.0 running on Solaris.

Thanks for your effort

- Markus

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to markus.ridder

‎06-19-2008 07:19 AM

Markus,

RSA ver 6.0 is not tested with acs 3.3.2.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/device/table/app33sdt.html#wp21145

I would suggest you to upgrade it to 3.3.4.

Regards,

~JG

0 Helpful

markus.ridder
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-20-2008 01:05 AM

JG,

thanks again. I have seen that, but did not

pay to much attention, since the setup was working. Nevertheless I appreciate you hint and we will go that road. Do you know how I can get hold of a 3.3.4 ACS for Windows ?

Thanks again

- Markus

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to markus.ridder

‎06-20-2008 06:08 AM

Markus,

ACS software's are not listed on CCO. You need to open a TAC case for getting it.

Regards,

~JG

Do rate helpful posts

0 Helpful

cisco24x7
Level 6
Level 6
In response to Jagdeep Gambhir

‎06-20-2008 07:32 AM

I have the same exact issue as described

by Markus but my RSA SecurID is version 5.1.

I am using the same ACS version as Markus

on Windows 2000 with Service Pack 4. Stop/Start

Cisco ACS services did not resolve the issue.

To fix this, I have to reboot the Win2k box

every 48 hours.

I am thinking that it may be a bug in this

version of ACS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents