Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS authentication with RSA 6.1

I want to use our production RSA server to authenticate users on Cisco device's for authorization. I need to find out how to setup the ACS and RSA so I can pass all user requests to RSA. I have ACS 1113 running 4.0?

Many thanks in advance.

5 REPLIES
Silver

Re: ACS authentication with RSA 6.1

For the ACS appliance you have to configure the "Generic RADIUS" external authenticator to point at the RSA server.

On the RSA server you must also setup the RSA RADIUS front end.

FWIW, with the S/W ACS you dont need to do that because ACS can use the RSA client DLL to talk direct to RSA.

Darran

New Member

Re: ACS authentication with RSA 6.1

Darran,

Thanks for the reply.

I am able to get RSA to authenticate my user account, but now, can I dynamically assign users to proper groups based on AD group membership. Can I even do such a thing: check the group membership in AD and use RSA token for authentication.

Currently ACS only lets me choose one group where I can have all my RSA users in.

Silver

Re: ACS authentication with RSA 6.1

Unfortunately not.

This ability was being designed into ACS XA but that project got canned.

I doubt ACS v5.0 will be that flexible.

Silver

Re: ACS authentication with RSA 6.1

The only workaround I have found is manually mapping users to a different group once they have been cached in ACS. It does not scale to large environments, but if you have a static batch of users, it may work.

New Member

Re: ACS authentication with RSA 6.1

Thanks everyone for your replies.

I finally remembered how I had accomplished this in the past. The reason I had asked was once I had done this scenario at a client site, but could not remember it. Over the weekend it finally came back to me. At this client site, I did not have an appliance, I had ACS for windows, and we had made the server a member server of the domain, it was able to grab all the AD groups, and we then sent the authentication to an RSA server. Plus dynamically map them to group in ACS.

Now since we have an appliance, I can?t have the ACS grab AD groups and authenticate against RSA.

This bites.... :(

Thanks again everyone. If anyone comes up with an alternative or a solution please let me know.

322
Views
0
Helpful
5
Replies