Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.1 TACACS+ VPN3000 SecurID

Have an interesting problem and was wondering if anyone else has seen the same behavior and knows of a solution...

Environment:

Cisco VPN 3015

Cisco ACS 3.1/Win2K

RSA ACE/5.1 Advanced

SecurID Tokens

Have set the VPN Concentrator to use TACACS+ for all admin function logins. It contacts the Cisco ACS, which in turn sends the request to the RSA server.

We have hit-or-miss authentication success with this setup. Sometimes it works, other times it does not. In all cases, the RSA server reports a successful authentication AND the ACS also reports a successful authentication. The VPN 3015 will either authenticate, or timeout.

The strange part is that as soon as I switch the user being authenticated to use an internal password on the ACS (instead of authenticating against the RSA server), we get 100% authentication success. Have tried various versions of 3015 code and also been from 5.0 to 5.1 in the RSA server.

Anyone seen this or anything similar? Bug? My stupidity?

Thanks

3 REPLIES
New Member

Re: ACS 3.1 TACACS+ VPN3000 SecurID

Hi !

The problem is the time it takes ACS to get a response from the RSA Server.

If you look in ACS logs (AUTH.log in specific) you'll see when ACS receives the request from the VPN 3K and when it sends back the response.

When authenticating to ACS internal DB , the response time is much shorter and thus 100% authentication success.

My advise is to increase the timeout on the VPN3K if you want to use RSA.

Ami

New Member

Re: ACS 3.1 TACACS+ VPN3000 SecurID

I have considered this, however, as I had said before, I get 100% success in the logs on the ACS, even when usng the RSA as the authentication source. It seems to be related to the communucation between the ACS and the VPN3000, but there are really no settings that I am aware of to play with, other than the TACACS timeout settings on the VPN3000, which I have tried adjusting with no success. The only indication of a problem is that the authentication failes on the VPN3000, even though the ACS and the RSA indicate success.

New Member

Re: ACS 3.1 TACACS+ VPN3000 SecurID

The fact that ACS logs show 100% success all the time just indicates that ACS gets the response from RSA in all cases and transfers the response back to the VPN3K.

The fact that the VPN3K doesn't always get the response (in cases where it indicates timeout) , just shows that the VPN3K doesn't wait enough time to get _all_ the responses from ACS , which ACS does send.

Try to match a failed authentication message from the VPN3K to a snippet from the AUTH.log file (taken with full logging) and see if the time it took ACS to process the request (including RSA process) is above what is configured in the VPN3K Tacacs timeout.

Ami

130
Views
0
Helpful
3
Replies
CreatePlease login to create content