acs 5.1 and rsa configuration

marian_15 · ‎09-25-2010

hi!

i'm trying to configure authentication rules, wherein the users would use their ACS 5.1 user accounts to login to devices, and have the enable password be authenticated via RSA.

i'm quite confused as to how to do this configuration in ACS 5.1.

i would like to know if anyone has experienced configuring RSA-based enable password authentication in in ACS 5.1?

thanks!

jrabinow · ‎09-26-2010

I have some ideas as to how to do this configuration. I have not tested this

Need to make an identity policy condition based on the service type and select either "Internal Users" for login requests and RSA for enable requests. Can do as follows:

1) Create a custom condition based on service type. Go to: "Policy Elements > Session Conditions > Custom. Crete a custom condition using the TACACS+ dictionary and the "Service" attribute

2) Modify your device administration identity policy to use this attribute. For example (if using policies as defined upon system installation) , go toAccess Policies > Access Services > Default Device Admin> Identity, select rule based table and "Customize" to chaneg the conditions in the table. Select the condition you created in step 1) for inclusion in the policy

3) can now create two rules in your identity policy. The first is if Service Type is "Login" to select "Identity Soure" of Internal Users. Second for Service Type of Enable to select RSA

marian_15 · ‎09-28-2010

hi jrabinow,

i tried your suggestion and it works fine up to telnet login only... when i get to the enable password authentication, it fails... i tried using both user password and rsa password, but still it won't get authenticated.