Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ACS appliance <--> AD <--> RSA Securid Server

I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.

Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.

But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.

Here's more info:

In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.

In ACS appliance, remote agent was already pointed to AD.

No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.

How can I manage to configure RSA SecurID Token Server in my ACS appliance?

2 REPLIES

Re: ACS appliance <--> AD <--> RSA Securid Server

Hello,

The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml

I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.

ACS with ACE however works, though there were some nasty problems to be solved on the way to success.

One thing to point out straight away also mentioned in the document mabove:

Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:

CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.

This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:

username: xxxx

password: xxxx

Password Authentication Protocol (PAP) is a better choice here.

This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: ACS appliance <--> AD <--> RSA Securid Server

I believe the problem you have is that you installed the agent for RSA on the AD side. To get RSA to work correctly with ACS is dependant on the build of ACS. The ACS appliaance is a different configuration from the windows version. Go configure your RSA server under EXTERNAL USER DATABASES --> DATABASE CONFIGURATIONS --> RADIUS TOKEN SERVER. From there you can create a new configuration for your RSA server. You will see the RSA server available under individual user configurations. It will be under a drop down for password Authentication.

435
Views
0
Helpful
2
Replies
CreatePlease to create content