Cisco ACS 5.1 and RSA Authentication Manager 6.1

Answered Question
Apr 18th, 2010

Hi All

We  got recently a Cisco Secure ACS 1120 and i upgraded the Appliance to 5.1 from 5.0 with all your support

Now I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1 . I Successfully Downloaded config file from RSA ACE Server and exported into ACS 1120.

I also Added ACS as a NetOS Agent in the RSA Server , during the process i found few warnings . The ACE Server is not able to Resolve the IP Address to NAme ( DOes it Necessary ?? ).

I havent created any secret Key file for communication between ACS and RSA and encryption i used is DES.

Now when I log into ACS and search for Devices in the Identity Store Sequences i am not able to Look for RSA Token Sever .

Kindly let me know what went wrong ,where can i correct  and also  please tell me how communciaction between RSA and ACS happens???

Hoping u guys help me as usual when i am in emergency ....

Sree

I have this problem too.
0 votes
Correct Answer by jrabinow about 3 years 12 months ago

Were you successfully able to create the RSA identity server. After you selected the sdconf.rec and pressed Submit what happened? Did the RSA instance get created OK?

If you go to

Users and Identity Stores >External Identity Stores > RSA SecurID Token Servers, what do you see in the list?
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
jrabinow Sun, 04/18/2010 - 22:37

You need to first create the RSA identity store. Go to

Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers and press Create

You need to import the sdconf.rec' file that was created on the RSA server when the ACS was defined.

After the RSA server instance is created it can then be selected as the result in an indentity policy and will be accessed for authentication

vanamsreekanth Sun, 04/18/2010 - 22:41

Hi Rabinow,

I also did it and successfully exported the sdconf.rec file to ACS , even then i am unable to see the External Database in the Identity Sequence .

Sree

Correct Answer
jrabinow Sun, 04/18/2010 - 22:46

Were you successfully able to create the RSA identity server. After you selected the sdconf.rec and pressed Submit what happened? Did the RSA instance get created OK?

If you go to

Users and Identity Stores >External Identity Stores > RSA SecurID Token Servers, what do you see in the list?
vanamsreekanth Sun, 04/18/2010 - 23:21

Hi Rabinow

I am able to see the RSA Secure ID Server in the External User Database, but i am not able 2 see it in the Identity Sequence ...

I am not sure whether these devices are Integrated or not ? How can i test it ?

Sree

jrabinow Sun, 04/18/2010 - 23:35

I think I may see you problem. When you go to the Identity Sequence you see the list of databases that are available for attribute retrieval. RSA is not inlcuded in this list since there are no atributes retrieved from RSA.

However, you should see two check bixes under authentication method list. Password absed should eb used if, like in this case, you use password based authentication against an identity store. Select Password based option and you should see the RSA identity stored liste in the set of available stores for authentication

  Jonny

vanamsreekanth Mon, 04/19/2010 - 00:55

Hi Jonny

So kind of U , Now i am able to see the RSA Database in The Identity Stores .

Can u please let me know how can i use the Password Authentication to be redirected to RSA Server when i add a user in the ACS Database.

Sorry for troubling u , I am new to the GUI feel of ACS 5.1 and also let me know any reelevant Documentation for the stuff.

Thankssssss

Sree

jrabinow Mon, 04/19/2010 - 01:05

Sree

ACS 5.1 uses a policy/rule based mechanism for processing requests and eventually assigning permissions. For you to successfully to use ACS 5.1 it will be important you have a good handle on how this works. There are some good resources on the Welcome page including a video

I am guessing you may still have the default policy settings as defined in system installation. If so, you can select the identity store at one of the following links:

RADIUS:

Access Policies > Access Services > Default Network Access > Identity

>>> Press 'Select", select the RSA database and then 'Save Changes'

TACACS+

Access Policies > Access Services > Default Device Admin > Identity

>>> Press 'Select", select the RSA database and then 'Save Changes'

Identity Sources are selected as the ersults of policies in order for ACS to access them when the corresponding rule is matched. Identity Sequences are only used when seelcted as the result of an identity policy

Jonny

vanamsreekanth Mon, 04/19/2010 - 01:27

Hey Jonny

Thanks for your Support and Time .

I carry out a test for today and let u know what is the result.

Sree

sreekanth.vanam Mon, 04/26/2010 - 04:35

Hi All

I am again Unsuccesful with the test ,  can any one send me the example configurations that should be done on Cisco ACS 5.1  and also in the Cisco RSA Authentication Manager as well . So that i can follow the steps easily.

The Question i have is

1. Do i need to add the username of the user in the Internal userdatabase of ACS and also in RSA to get the Authentication Success.

2. What should the ACS consider if there is an authenticationb Failure as " User not Found " or " Auth Failure " ?

Thanks in Advance.

Sree

Actions

Login or Register to take actions

This Discussion

Posted April 18, 2010 at 9:16 PM
Stats:
Replies:10 Avg. Rating:5
Views:2301 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard