Cisco ACS and RSA SecurID and Cisco 3640 IOS version 12.3(8)T11

cisco24x7 · ‎08-22-2008

IOS version c3640-jk9o3s-mz.123-8.T11.bin.

I am using Cisco ACS 4.1 and RSA SecurID version 6.1 integration. I use tacacs

for managing a Cisco 3640 router:

This is my configuration:

C3640#sh run | i aaa

aaa new-model

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

C3640#sh run | i tacacs-server host

tacacs-server host 192.168.3.10 key 123456

C3640#sh run | b line vty

line vty 0 4

exec-timeout 0 0

logging synchronous

login authentication VTY

line vty 5 15

exec-timeout 0 0

logging synchronous

login authentication VTY

!

end

C3640#

C3640#test aaa group tacacs+ cciesec cciesec new-code

Trying to authenticate with Servergroup tacacs+

Sending password

User successfully authenticated

C3640#

Here is my question:

1- Does Cisco IOS support new-pin mode? Let say I assign user "cciesec" the initial PIN of 0123 and user "cciesec",

after he logs into the router, he has to change his PIN. Some how, it is not working on this router:

[Expert@labgw]# telnet 192.168.15.248

Trying 192.168.15.248...

Connected to 192.168.15.248.

Escape character is '^]'.

User Access Verification

Username: cciesec

Password:

Do you want to enter your own pin? (y or n) [n]

Enter your new Alpha-Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

User Access Verification

Username:

In other words, it is NOT working.

2- Does Pix/ASA version 8.x support

new-pin mode?

Thanks in advance

dhananjoy chowdhury · ‎08-22-2008

Hi,

New pin mode is not supported if you are using the RSA native protocol.

Use the Radius protocol on the RSA Authentication Manager for features like New pin , next token mode etc.

cisco24x7 · ‎08-23-2008

"New pin mode is not supported if you are using the RSA native protocol."

I am very aware of this.

"Use the Radius protocol on the RSA Authentication Manager for features like New pin , next token mode etc."

I am also very aware of this too.

However, I do not want to use radius on the

RSA Authentication Manager. I want to use

tacacs+ in the ACS but off-load the

authentication database piece to RSA. I

want to use tacacs because I want to have

separations between Authentication and

Authorization, which is not possible with

radius.

From the router's perspective, it does not

know anything about RSA, it only knows ACS.

Are you saying that even though ACS passes the

credentials to RSA, it is still RSA native

protocol? i.e. udp port 5500?

Thanks.

alexdelangel · ‎06-22-2014

Hello friends!

Please, allow me to resurect this old post.

I currently have a TACACS+ server for authenticating the Access for managing Network Devices, and my IT manager asked me to add a 2 factor authentication. Does the functions of authentication and authorization work good even if I integrate RSA to the TACACS+??

Regards!