Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Serious security issue with ACS 3.3 and RSA ACE Token Server

Hi all,

we have a seriuos security issue with an ACS 3.3 server on windows running in front of an RSA ACE/Token Server 6.0. We use this setup to authenticate VPN users coming in over ASAs and VPN-3000 concentrators.

After running some time the ACS stops authenticating users. But the authentication does not fail instead the ACS allows any user to connect succesfully. We traced the communication between the ACS and the RSA ACE and found that the ACS does not talk to the RSA server anymore, but nevertheless allows the users to connect. Whats even worse - the user can supply any token code - valid or not !

In summary the ACS allows any user to succesfully connect with in invalid token codes.

After stopping and restarting the services on the ACS anything works normally.

Any help is appreciated since this is a serious issue for us.

Kind regards

Markus

8 REPLIES
Silver

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

Do you have token caching enabled in ACS?

New Member

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

Darran,

thanks for your reply.

But no, we do not use token caching.

- Markus

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

Strange... what is the complete ver of acs and on which operating system & SP it is installed ?

Regards,

~JG

New Member

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

JG,

the ACS is V3.3(2) build 2 and it is running

on a Windows 2000 Server ServicePack 4.

RSA server version is 6.0 running on Solaris.

Thanks for your effort

- Markus

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

Markus,

RSA ver 6.0 is not tested with acs 3.3.2.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/device/table/app33sdt.html#wp21145

I would suggest you to upgrade it to 3.3.4.

Regards,

~JG

New Member

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

JG,

thanks again. I have seen that, but did not

pay to much attention, since the setup was working. Nevertheless I appreciate you hint and we will go that road. Do you know how I can get hold of a 3.3.4 ACS for Windows ?

Thanks again

- Markus

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

Markus,

ACS software's are not listed on CCO. You need to open a TAC case for getting it.

Regards,

~JG

Do rate helpful posts

Silver

Re: Serious security issue with ACS 3.3 and RSA ACE Token Server

I have the same exact issue as described

by Markus but my RSA SecurID is version 5.1.

I am using the same ACS version as Markus

on Windows 2000 with Service Pack 4. Stop/Start

Cisco ACS services did not resolve the issue.

To fix this, I have to reboot the Win2k box

every 48 hours.

I am thinking that it may be a bug in this

version of ACS.

233
Views
0
Helpful
8
Replies