ACS 4.2 and RSA SecurID in Next tokencode mode

Unanswered Question
Jan 13th, 2009

We're using ACS 4.2 for AAA for all of our Cisco devices. The ACS server uses our RSA SecurID server and it works great. Except when the token goes into next tokencode mode. Instead of being prompted for the next tokencode after a successful auth, it prompts for a password change.

Other devices using the SecurID server aren't having this problem, so I'm sure it has to do with the ACS. Had anyone else seen this sort of thing before?

Here's our setup:

ACS 4.2(0) Build 124 Patch 7

RSA Appliance 2.0.2 Auth Manager 6.1.2 (142)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jhillend Tue, 01/13/2009 - 12:23

OK, just noticed you are running patch 7. I need to double check.

cisco24x7 Tue, 01/13/2009 - 12:17

This is a KNOWN issue:

http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You run into something like this right:

[[email protected]]# telnet 192.168.15.248

Trying 192.168.15.248...

Connected to 192.168.15.248.

Escape character is '^]'.

C

ACS Server version 4.2

Username: test1

Password:

Do you want to enter your own pin? (y or n) [n] y

it hangs after that correct?

According to RSA:

Known Issues

1. Force Authentication after New PIN (both System Generated and User Defined), does not function as designed. The user is immediately authenticated after selecting or entering a NEW PIN. Cisco has been notified as this is how Cisco ACS is currently processing NEW PIN requests.

vbroadwater Tue, 01/13/2009 - 12:35

It's actually a little different than that. This is dealing with next tokencode mode, not new PIN mode yet. Here's what it looks like after a successful auth after next tokencode mode is activated:

Server requested password change

Password change request

Current password (blank for previously entered password):

When instead it should be prompting for the next tokencode. It's as if the ACS software doesn't know what next tokencode mode is or something. Doing a test from the RSA Security Center on the ACS server works out correctly.

I should probably note that we were experiencing the same issue with ACS 4.0. I was hoping that the upgrade and patch 7 would help but it hasn't.

cisco24x7 Tue, 01/13/2009 - 13:44

do you setup the router to use Radius or TACACS?

I don't think next token code or next PIN mode

is supported with TACACS

vbroadwater Wed, 01/14/2009 - 09:54

Our routers and switches use TACACS to the ACS server. If we have to switch to Radius, we've got a looooot of reconfiguring to do...

cisco24x7 Wed, 01/14/2009 - 10:53

If you are using tacacs, you will not be able

to do this. This can be done only with radius,

to my knowledge.

By the way, say hi to all the ex "Digex" folks

for me.

vbroadwater Wed, 01/14/2009 - 11:01

I'll do some testing with a switch to see if that does it. It's going to be a lot of no fun if that does it!

Next time I see one, I'll tell them you said hi. :)

vbroadwater Thu, 01/22/2009 - 12:33

Ok, I finally had a chance to test out this theory. The good news (for me) is that there's no change. I'm still getting this prompt when in next tokencode mode instead of a prompt for the next tokencode:

Server requested password change

Password change request

Current password (blank for previously entered password):

That's only good news for me because it looks like I don't have to reconfigure a crazy amount network gear. The bad news is that we still don't have an idea of why this is happening.

Actions

This Discussion