Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
2
Replies

ACS appliance <--> AD <--> RSA Securid Server

Dave Anthony David
Level 1
Level 1

‎01-17-2006 05:46 PM - edited ‎07-04-2021 11:32 AM

I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.

Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.

But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.

Here's more info:

In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.

In ACS appliance, remote agent was already pointed to AD.

No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.

How can I manage to configure RSA SecurID Token Server in my ACS appliance?

Labels:
0 Helpful
2 Replies 2

mheusinger
Level 10
Level 10

‎01-18-2006 11:32 AM

Hello,

The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml

I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.

ACS with ACE however works, though there were some nasty problems to be solved on the way to success.

One thing to point out straight away also mentioned in the document mabove:

Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:

CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.

This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:

username: xxxx

password: xxxx

Password Authentication Protocol (PAP) is a better choice here.

This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful

dcavanaugh
Level 1
Level 1

‎01-21-2006 07:05 PM

I believe the problem you have is that you installed the agent for RSA on the AD side. To get RSA to work correctly with ACS is dependant on the build of ACS. The ACS appliaance is a different configuration from the windows version. Go configure your RSA server under EXTERNAL USER DATABASES --> DATABASE CONFIGURATIONS --> RADIUS TOKEN SERVER. From there you can create a new configuration for your RSA server. You will see the RSA server available under individual user configurations. It will be under a drop down for password Authentication.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card