Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.2 and RSA SecurID in Next tokencode mode

We're using ACS 4.2 for AAA for all of our Cisco devices. The ACS server uses our RSA SecurID server and it works great. Except when the token goes into next tokencode mode. Instead of being prompted for the next tokencode after a successful auth, it prompts for a password change.

Other devices using the SecurID server aren't having this problem, so I'm sure it has to do with the ACS. Had anyone else seen this sort of thing before?

Here's our setup:

ACS 4.2(0) Build 124 Patch 7

RSA Appliance 2.0.2 Auth Manager 6.1.2 (142)

9 REPLIES
New Member

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

You are running into CSCsu29010. This is fixed with cumulative patch 6 and later.

New Member

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

OK, just noticed you are running patch 7. I need to double check.

Silver

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

This is a KNOWN issue:

http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ACS_42_AuthMan7.1.pdf

You run into something like this right:

[Expert@P1-NGx]# telnet 192.168.15.248

Trying 192.168.15.248...

Connected to 192.168.15.248.

Escape character is '^]'.

C

ACS Server version 4.2

Username: test1

Password:

Do you want to enter your own pin? (y or n) [n] y

it hangs after that correct?

According to RSA:

Known Issues

1. Force Authentication after New PIN (both System Generated and User Defined), does not function as designed. The user is immediately authenticated after selecting or entering a NEW PIN. Cisco has been notified as this is how Cisco ACS is currently processing NEW PIN requests.

New Member

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

It's actually a little different than that. This is dealing with next tokencode mode, not new PIN mode yet. Here's what it looks like after a successful auth after next tokencode mode is activated:

Server requested password change

Password change request

Current password (blank for previously entered password):

When instead it should be prompting for the next tokencode. It's as if the ACS software doesn't know what next tokencode mode is or something. Doing a test from the RSA Security Center on the ACS server works out correctly.

I should probably note that we were experiencing the same issue with ACS 4.0. I was hoping that the upgrade and patch 7 would help but it hasn't.

Silver

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

do you setup the router to use Radius or TACACS?

I don't think next token code or next PIN mode

is supported with TACACS

New Member

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

Our routers and switches use TACACS to the ACS server. If we have to switch to Radius, we've got a looooot of reconfiguring to do...

Silver

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

If you are using tacacs, you will not be able

to do this. This can be done only with radius,

to my knowledge.

By the way, say hi to all the ex "Digex" folks

for me.

New Member

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

I'll do some testing with a switch to see if that does it. It's going to be a lot of no fun if that does it!

Next time I see one, I'll tell them you said hi. :)

New Member

Re: ACS 4.2 and RSA SecurID in Next tokencode mode

Ok, I finally had a chance to test out this theory. The good news (for me) is that there's no change. I'm still getting this prompt when in next tokencode mode instead of a prompt for the next tokencode:

Server requested password change

Password change request

Current password (blank for previously entered password):

That's only good news for me because it looks like I don't have to reconfigure a crazy amount network gear. The bad news is that we still don't have an idea of why this is happening.

1949
Views
0
Helpful
9
Replies