Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1841
Views
0
Helpful
4
Replies

Aironet (LEAP) with ACS v3 and RSA ACE Server

dsnider
Level 1
Level 1

‎01-18-2002 02:16 PM - edited ‎02-21-2020 09:58 AM

I've been trying to test a configuration concept as follows. Setup Aironet APs and clients to use LEAP authentication via AAA in ACS for accounting and proxy the login to the RSA token server for the login via a single sign on for the clients. The problem I'm having is that I can't find any documentation on how and what I need to all have in place within ACS and the RSA ACE server. I'm guessing that I'll have to use the LEAP proxy RADIUS server configuration setup for external databases. So far however I have not been able to get any configurations to actually send a login to the ACE server. I had first tried to use the RSA SecurID token server setup as an external database but that doesn't work. I think that some information is being stripped and not making it to the ACE server once it gets to the ACS server as I get "Radius extension DLL rejected user" errors in my failed attempts logs. I'm not sure if anyone out there has this configuration working yet as the LEAP support with the Aironet and ACS is rather new and new to me.

Does anyone have any ideas?

Labels:
0 Helpful
4 Replies 4

vijkrish
Cisco Employee
Cisco Employee

‎01-24-2002 02:41 AM

Pls. refer

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/o.htm#xtocid1043712

Table 1-2: Password Authentication Protocol and User Database Compatibility

The matrix explicitly states this is not supported.

0 Helpful

jeremy-matthew_kuan
Level 1
Level 1
In response to vijkrish

‎07-05-2002 01:28 AM

I'm getting the same errors using external database settings for W2K. Have followed the docs at Cisco site and have set it up on a member server joined to the domain with all 5 ACS services logged on with a domain admin equivalent account. Don't seem to be getting any messages on the W2K DCs to show of any attempts at authentication and my guess is that the ACS is not forwarding the authentication to either of the DCs.

0 Helpful

yusuff
Cisco Employee
Cisco Employee
In response to jeremy-matthew_kuan

‎07-06-2002 12:59 AM

The member server (ACS) needs to start the CSRadius service and all other CSxxx services with a domain priviledged username, furthermore, in the "Local Security Setting" under the "User Rights" , there is an option of "Act as part of Operating System" which must also include the same said username which is starting the services. Once you do this, you should be ok and ACS will proxy authentication to w2k.

HTH

R/Yusuf

0 Helpful

Georgia Coalman
Level 1
Level 1
In response to yusuff

‎07-06-2002 04:00 PM

What OS are you running on your member server? If you're running win2k with sp2 then that's were your problem lies. There will be a few bugs created in the next few days that relate to these issues.

0 Helpful
Customers Also Viewed These Support Documents