How 2 configure ACS 4.2 to delegate authentication to radius server

Answered Question
Dec 10th, 2009

Hi,

We need to run the following scenario:

Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server


The CAT Authentication Server is a Radius Server. It can receive Radius Authentication requests and respond. It is used for TFA OTP strong authentication in a similar way to the RSA OTP Tokens.

The question is: How do we configure the ACS 4.2 to delegate the Authentication Request to another Radius server.

Thnx

I have this problem too.
0 votes
Correct Answer by tprendergast about 6 years 11 months ago

You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.

Cheers,

Tim

Correct Answer by tprendergast about 6 years 11 months ago

Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).

Easy as pie!

Please rate if this is helpful.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
tprendergast Thu, 12/10/2009 - 13:24

Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).

Easy as pie!

Please rate if this is helpful.

arnneispeiser Thu, 12/10/2009 - 14:03

Hi Tim,

Thanks.

Just to be sure - when you add a new External Database - you are defining a Radius server ? That's the Radius server IP and shared secret. right ?

Is there a Cisco document that describes the process and/or a step by step instructions ?

I'm asking, because I don't have the Cisco installed at our server, it is installed at a customer of ours and I need to be sure.

You know how customers are...

Many thanks.

arnneispeiser Thu, 12/10/2009 - 14:18

Tim,

One more thing.

Please notice that we do not use RSA, we have a Radius server like FreeRadius for example.

Thanx

Correct Answer
tprendergast Thu, 12/10/2009 - 14:54

You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.

Cheers,

Tim

rahulpratheek Wed, 02/29/2012 - 00:44

Hi,

I would like to configure the below setup:

End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.

Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in

ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.

Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?

Any help on this would be really grateful to me.

Thanks and Regards,

Rahul.

arnneispeiser Fri, 12/11/2009 - 08:59

Hi Tim,

We have already tried configuring RADIUS Token Server External User Database connector, but it didn’t work.

Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?

Thanks

tprendergast Fri, 12/11/2009 - 10:17

Hi Arnnei,

I have a Windows Connector and a RSA SecurID Connector at the same time and they work fine. Can you please specify what didn't work? You need to be sure to add the ACS Server as a RADIUS Device on the RADIUS server so it can talk, and make sure RADIUS is open on the firewall between the two devices. Hook up a sniffer (wireshark/etc) and see if the packets are going to the RADIUS server. If they are, then the configuration issue is on the RADIUS side. If not, then something is wrong on the ACS Side.

You must ensure that a user has been created and has the RADIUS server in the Password Authentication box under the User Setup section.

Please check those things and respond.

Thanks,

Tim

Actions

This Discussion