08-22-2008 11:56 AM - edited 03-10-2019 04:03 PM
IOS version c3640-jk9o3s-mz.123-8.T11.bin.
I am using Cisco ACS 4.1 and RSA SecurID version 6.1 integration. I use tacacs
for managing a Cisco 3640 router:
This is my configuration:
C3640#sh run | i aaa
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
C3640#sh run | i tacacs-server host
tacacs-server host 192.168.3.10 key 123456
C3640#sh run | b line vty
line vty 0 4
exec-timeout 0 0
logging synchronous
login authentication VTY
line vty 5 15
exec-timeout 0 0
logging synchronous
login authentication VTY
!
!
end
C3640#
C3640#test aaa group tacacs+ cciesec cciesec new-code
Trying to authenticate with Servergroup tacacs+
Sending password
User successfully authenticated
C3640#
Here is my question:
1- Does Cisco IOS support new-pin mode? Let say I assign user "cciesec" the initial PIN of 0123 and user "cciesec",
after he logs into the router, he has to change his PIN. Some how, it is not working on this router:
[Expert@labgw]# telnet 192.168.15.248
Trying 192.168.15.248...
Connected to 192.168.15.248.
Escape character is '^]'.
User Access Verification
Username: cciesec
Password:
Do you want to enter your own pin? (y or n) [n]
Enter your new Alpha-Numerical PIN, containing 4 to 8 digits
or
"x" to cancel the new PIN procedure:
User Access Verification
Username:
In other words, it is NOT working.
2- Does Pix/ASA version 8.x support
new-pin mode?
Thanks in advance
08-22-2008 12:21 PM
Hi,
New pin mode is not supported if you are using the RSA native protocol.
Use the Radius protocol on the RSA Authentication Manager for features like New pin , next token mode etc.
08-23-2008 07:17 AM
"New pin mode is not supported if you are using the RSA native protocol."
I am very aware of this.
"Use the Radius protocol on the RSA Authentication Manager for features like New pin , next token mode etc."
I am also very aware of this too.
However, I do not want to use radius on the
RSA Authentication Manager. I want to use
tacacs+ in the ACS but off-load the
authentication database piece to RSA. I
want to use tacacs because I want to have
separations between Authentication and
Authorization, which is not possible with
radius.
From the router's perspective, it does not
know anything about RSA, it only knows ACS.
Are you saying that even though ACS passes the
credentials to RSA, it is still RSA native
protocol? i.e. udp port 5500?
Thanks.
06-22-2014 07:07 PM
Hello friends!
Please, allow me to resurect this old post.
I currently have a TACACS+ server for authenticating the Access for managing Network Devices, and my IT manager asked me to add a 2 factor authentication. Does the functions of authentication and authorization work good even if I integrate RSA to the TACACS+??
Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide