cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
0
Helpful
1
Replies

ACS using RSA keyfobs issue

a.richardson
Level 1
Level 1

I have been using the ACS server as a tacacs host on the switch. The ACS server is allowing me to add an Active Directory group to an ACS group, and when you login you get privilege level 15 but with a restricted command set. You can see who entered what command where in the ACS logs... It is working!

Unfortunately when I change the authentication type to RSASecureID, only the First A - Authentication works. I can't get it to authorize the privilege level 15 or other commands. The only thing I can do is set it back to local enable password, and it would seem I also lose the accounting..... In the logs the return request for Authorisation is not accepted by the ACS/RSA.

So the ACS actually acts as a Tacacs interim, and passes the requests to the Radius for Auth only, so the ACS does the AAA part, with Authentication element being passed on to the RSA. The issue is that when you do this on windows it uses the same user/password for login and enable, but when you use a token/keyfob the username/password changes and you don't get the chance to enter again.

1 Reply 1

mike.drugov
Level 1
Level 1

Wait for the key to be changed and proceed with your login

PS

Make sure that you have command listed below in your config

aaa authentication enable console (your Server name) LOCAL

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: