Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.0 and RSA Token Server problem

Hi,

We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.

Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.

I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.

When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.

After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.

Any help or advice appreciated.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACS 4.0 and RSA Token Server problem

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

5 REPLIES

Re: ACS 4.0 and RSA Token Server problem

Hi,

The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.

Following link talks about the same.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733

Regards,

~JG

Silver

Re: ACS 4.0 and RSA Token Server problem

no no no no! NEVER use RSA with WIFI + PAP.

The token + pin can be sniffed and are good for 60 seconds... over Wifi thats disastrous.

Silver

Re: ACS 4.0 and RSA Token Server problem

Hi

This is because LEAP requires MSCHAP which in turn requires access to either the plain text password or a hash of it. So you can see how this would be hard to do with RSA.

To use RSA with WLAN you need to look at EAP-PEAP/FAST where the RSA token can be carried inside in the encrypted tunnel.

New Member

Re: ACS 4.0 and RSA Token Server problem

Ahhh... Thank you! I will give EAP-PEAP/FAST a try.

Silver

Re: ACS 4.0 and RSA Token Server problem

oops... double hit the return key!

274
Views
5
Helpful
5
Replies