Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS using RSA keyfobs issue

I have been using the ACS server as a tacacs host on the switch. The ACS server is allowing me to add an Active Directory group to an ACS group, and when you login you get privilege level 15 but with a restricted command set. You can see who entered what command where in the ACS logs... It is working!

Unfortunately when I change the authentication type to RSASecureID, only the First A - Authentication works. I can't get it to authorize the privilege level 15 or other commands. The only thing I can do is set it back to local enable password, and it would seem I also lose the accounting..... In the logs the return request for Authorisation is not accepted by the ACS/RSA.

So the ACS actually acts as a Tacacs interim, and passes the requests to the Radius for Auth only, so the ACS does the AAA part, with Authentication element being passed on to the RSA. The issue is that when you do this on windows it uses the same user/password for login and enable, but when you use a token/keyfob the username/password changes and you don't get the chance to enter again.

New Member

Re: ACS using RSA keyfobs issue

Wait for the key to be changed and proceed with your login


Make sure that you have command listed below in your config

aaa authentication enable console (your Server name) LOCAL

CreatePlease login to create content