Hi, currently our cisco vpn connections to our pix are authenticated by our TACACS server. I am trying to implement RSA secure ID by using the ACS as an agent. This part works fine, when I did a test authencation with rsa it asked to me create a pin. I am now able to authenticate via vpn with my ACS username and pin/token in the password box. However I dont know how to roll this out to users as I was expecting the cisco vpn client to ask any new users to create a pin, or to have a pin box ? Any ideas will be very appreciated.
sorry, the test was done with the 'authentication test' facility in the rsa authentication agent that I have installed on the TACACS server.
It seems that the new PIN mode is not working and users are not able to authenticate.
I have found a bug relating to the issue. Bug ID :CSCsd41866
Patch can be downloaded from, http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
File name : ACS-4.0.1-RSA-SW-CSCsc12614-CSCsd41866.zip
Please rate helpful posts
I've done quite a bit of Cisco ACS 4.1 and
RSA Securid version 6.2. I think I can help
you with this:
1) install Win2k3 Enterprise Edition with
service pack 2 on a dedicate machine or
vmware if you like,
2) run dcpromo to promote the box to be Active
Directory server if you want integration with
3) install RSA SecurID version 6.2 on the
same server in step 2,
4) install Cisco ACS 4.1 on the same server
listed in step 3,
5) http://127.0.0.1:2002 to log into the ACS
6) create an agent host for the Cisco ACS
and generate the sdconf.rec file. Place
this file under \windows\system32 directory,
7) Under the External database, you should see
something like unknown policy. database
group mapping, you should be asked if the
user is not found, what you should do. At
this point, configure it for RSA SecurID.
Keep clicking, you will see something about
dll file stuffs, it means your SecurID
is properly configured.
8) under the user group, rename group1 to
9) Go back to External database section,
in there you will be able to map SecurID group
in step 8 to RSA SecurID. Remember that this
is dynamic mapping. In other words, these
users are dynamic created.
10) go through the process of creating network
devices, make sure you have the right ip
addresses of the network device, pre-share
11) restart Cisco ACS services.
Here is an example:
[root@dca2-LinuxES root]# telnet 192.168.0.5
Connected to 192.168.0.5 (192.168.0.5).
Escape character is '^]'.
User Access Verification
Do you want to enter your own pin? (y or n) [n]
Enter your new Numerical PIN, containing 4 to 8 digits
"x" to cancel the new PIN procedure:
Now go back to the ACS and click on the
users tab, you will see test3 as a
One thing to be aware of. I do not believe
Pix 6.x code is capable of changing
the RSA PIN from the vpn client. Pix 7.x
code is definitely capable of doing that.
Same thing with the VPN concentrator.
Version 4.7.x will let you do that from
the VPN client.
It looks to me that you've configured the RSA
and the ACS correctly. it is a matter of
using the right software on the
Pix and VPN concentrator.
Kevin- CIE Security
Thanks very much for the reply. I will try following your steps. Howvever, I have now configuring my pix vpn to authenticate directly to the rsa server instead of tacacs
aaa-server testrsa-native protocol sdi
aaa-server testrsa-native host 172.16.17.10
Now the vpn client asks for username and passcode (with acs it asked for password) I enter my token code but I still dont get the box asking me to create the pin ? It just fials and the rsa log shows 2 messages, passcode accepted, new pin required. Then ACCSS denied, new pin deffered. Am I missing something ? I have pix712 and vpn4.8 ?
thanks again for your help
Could it be the VPN client isnt capable of handling the challenge/response correctly? ie its a username+password fire once only client?
A simple test, if you can get an ascii terminal login to the PIX (or any IOS device) authenticated by RSA via ACS that includes new pin mode - then everything on the ACS/RSA side must be working.
You could even try the ACS "tactest" program to mimick the IOS device. This lives in the bin folder and you need to add a T+ nas to ACS with the local ip address. You then run
tactest -H 127.0.0.1 -k secret
authen action type service port remote [user]
author arg1=value1 arg2=value2 ...
acct arg1=value1 arg2=value2 ...
TACACS> authen login ascii login tty0
Authentication succeeded :
In your case there would also be the new pin exchange tagged on the end.
good news is, the tactest worked exactly as it should with the new pin prompt. Thanks for that.
not sure what to do now, my telnet to my pix is also not displaying the correct prompt. Just username and password (the password works once I have created a passcode)
I have just upgraded my testpix to 722 and looks like this has resolved the issue. I did a telnet and got the pin prompt, yehh!! cant test the vpn yet though as this is on a live pix which i cant upgrade.
thanks for your help with this