Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1467
Views
0
Helpful
3
Replies

ACS 3.1 TACACS+ VPN3000 SecurID

dfelska
Level 1
Level 1

‎11-18-2003 12:09 PM - edited ‎03-10-2019 07:34 AM

Have an interesting problem and was wondering if anyone else has seen the same behavior and knows of a solution...

Environment:

Cisco VPN 3015

Cisco ACS 3.1/Win2K

RSA ACE/5.1 Advanced

SecurID Tokens

Have set the VPN Concentrator to use TACACS+ for all admin function logins. It contacts the Cisco ACS, which in turn sends the request to the RSA server.

We have hit-or-miss authentication success with this setup. Sometimes it works, other times it does not. In all cases, the RSA server reports a successful authentication AND the ACS also reports a successful authentication. The VPN 3015 will either authenticate, or timeout.

The strange part is that as soon as I switch the user being authenticated to use an internal password on the ACS (instead of authenticating against the RSA server), we get 100% authentication success. Have tried various versions of 3015 code and also been from 5.0 to 5.1 in the RSA server.

Anyone seen this or anything similar? Bug? My stupidity?

Thanks

Labels:
0 Helpful
3 Replies 3

aschiebe
Level 1
Level 1

‎11-18-2003 01:49 PM

Hi !

The problem is the time it takes ACS to get a response from the RSA Server.

If you look in ACS logs (AUTH.log in specific) you'll see when ACS receives the request from the VPN 3K and when it sends back the response.

When authenticating to ACS internal DB , the response time is much shorter and thus 100% authentication success.

My advise is to increase the timeout on the VPN3K if you want to use RSA.

Ami

0 Helpful

dfelska
Level 1
Level 1
In response to aschiebe

‎11-18-2003 02:42 PM

I have considered this, however, as I had said before, I get 100% success in the logs on the ACS, even when usng the RSA as the authentication source. It seems to be related to the communucation between the ACS and the VPN3000, but there are really no settings that I am aware of to play with, other than the TACACS timeout settings on the VPN3000, which I have tried adjusting with no success. The only indication of a problem is that the authentication failes on the VPN3000, even though the ACS and the RSA indicate success.

0 Helpful

aschiebe
Level 1
Level 1
In response to dfelska

‎11-18-2003 03:42 PM

The fact that ACS logs show 100% success all the time just indicates that ACS gets the response from RSA in all cases and transfers the response back to the VPN3K.

The fact that the VPN3K doesn't always get the response (in cases where it indicates timeout) , just shows that the VPN3K doesn't wait enough time to get _all_ the responses from ACS , which ACS does send.

Try to match a failed authentication message from the VPN3K to a snippet from the AUTH.log file (taken with full logging) and see if the time it took ACS to process the request (including RSA process) is above what is configured in the VPN3K Tacacs timeout.

Ami

0 Helpful
Customers Also Viewed These Support Documents