cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3433
Views
0
Helpful
8
Replies

How 2 configure ACS 4.2 to delegate authentication to radius server

arnneispeiser
Level 1
Level 1

Hi,

We need to run the following scenario:

Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server


The CAT Authentication Server is a Radius Server. It can receive Radius Authentication requests and respond. It is used for TFA OTP strong authentication in a similar way to the RSA OTP Tokens.

The question is: How do we configure the ACS 4.2 to delegate the Authentication Request to another Radius server.

Thnx

2 Accepted Solutions

Accepted Solutions

tprendergast
Level 3
Level 3

Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).

Easy as pie!

Please rate if this is helpful.

View solution in original post

You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.

Cheers,

Tim

View solution in original post

8 Replies 8

tprendergast
Level 3
Level 3

Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).

Easy as pie!

Please rate if this is helpful.

Hi Tim,

Thanks.

Just to be sure - when you add a new External Database - you are defining a Radius server ? That's the Radius server IP and shared secret. right ?

Is there a Cisco document that describes the process and/or a step by step instructions ?

I'm asking, because I don't have the Cisco installed at our server, it is installed at a customer of ours and I need to be sure.

You know how customers are...

Many thanks.

Tim,

One more thing.

Please notice that we do not use RSA, we have a Radius server like FreeRadius for example.

Thanx

You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.

Cheers,

Tim

Many thanks !!! much appreciated.

Hi,

I would like to configure the below setup:

End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.

Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in

ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.

Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?

Any help on this would be really grateful to me.

Thanks and Regards,

Rahul.

Hi Tim,

We have already tried configuring RADIUS Token Server External User Database connector, but it didn’t work.

Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?

Thanks

Hi Arnnei,

I have a Windows Connector and a RSA SecurID Connector at the same time and they work fine. Can you please specify what didn't work? You need to be sure to add the ACS Server as a RADIUS Device on the RADIUS server so it can talk, and make sure RADIUS is open on the firewall between the two devices. Hook up a sniffer (wireshark/etc) and see if the packets are going to the RADIUS server. If they are, then the configuration issue is on the RADIUS side. If not, then something is wrong on the ACS Side.

You must ensure that a user has been created and has the RADIUS server in the Password Authentication box under the User Setup section.

Please check those things and respond.

Thanks,

Tim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: