06-19-2008 02:10 AM - edited 03-10-2019 03:55 PM
Hi all,
we have a seriuos security issue with an ACS 3.3 server on windows running in front of an RSA ACE/Token Server 6.0. We use this setup to authenticate VPN users coming in over ASAs and VPN-3000 concentrators.
After running some time the ACS stops authenticating users. But the authentication does not fail instead the ACS allows any user to connect succesfully. We traced the communication between the ACS and the RSA ACE and found that the ACS does not talk to the RSA server anymore, but nevertheless allows the users to connect. Whats even worse - the user can supply any token code - valid or not !
In summary the ACS allows any user to succesfully connect with in invalid token codes.
After stopping and restarting the services on the ACS anything works normally.
Any help is appreciated since this is a serious issue for us.
Kind regards
Markus
06-19-2008 05:08 AM
Do you have token caching enabled in ACS?
06-19-2008 05:33 AM
Darran,
thanks for your reply.
But no, we do not use token caching.
- Markus
06-19-2008 06:23 AM
Strange... what is the complete ver of acs and on which operating system & SP it is installed ?
Regards,
~JG
06-19-2008 06:38 AM
JG,
the ACS is V3.3(2) build 2 and it is running
on a Windows 2000 Server ServicePack 4.
RSA server version is 6.0 running on Solaris.
Thanks for your effort
- Markus
06-19-2008 07:19 AM
Markus,
RSA ver 6.0 is not tested with acs 3.3.2.
I would suggest you to upgrade it to 3.3.4.
Regards,
~JG
06-20-2008 01:05 AM
JG,
thanks again. I have seen that, but did not
pay to much attention, since the setup was working. Nevertheless I appreciate you hint and we will go that road. Do you know how I can get hold of a 3.3.4 ACS for Windows ?
Thanks again
- Markus
06-20-2008 06:08 AM
Markus,
ACS software's are not listed on CCO. You need to open a TAC case for getting it.
Regards,
~JG
Do rate helpful posts
06-20-2008 07:32 AM
I have the same exact issue as described
by Markus but my RSA SecurID is version 5.1.
I am using the same ACS version as Markus
on Windows 2000 with Service Pack 4. Stop/Start
Cisco ACS services did not resolve the issue.
To fix this, I have to reboot the Win2k box
every 48 hours.
I am thinking that it may be a bug in this
version of ACS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: