Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cicso ACS with RSA SecureId Problem

I want to implement cisco secure access control system in a network environment that uses RSA secure id. i want to install cisco acs 4.1 .I found documentation how to connect external databases with rsa authentication manager in the rsa support web site . So considering the fact that there is no problem communicating between cisco acs and rsa , i realy have no idea what to configure on the clients. The Clients will be user based authenticated to the acs with the usability of a wired 802.1x solution , connecting to cisco switches , it will pass to acs , then to rsa auth manager , and then access the network services (dchp ip assignment , etc) The whole process must be transparent to the client . what should i do please help...

1 REPLY

Re: Cicso ACS with RSA SecureId Problem

Based on your description, I think you're talking about PEAP-GTC (aka PEAP v2).

Windows has no native support for OTP (One-Time Passwords; aka GTC = Generic Token Cards), so you'll need to install a supplicant program that is able to perform this function. In the past I've used things like Oddysey (spelling?) but there are lots of clients that will provide OTP support for you.

Obviously the amount of transparency you get from using OTP is much reduced - the user will need to enter the OTP at logon, in addition to their username & password.

On the WLC, it is important that you enable "Credential Caching" under the 'Security' tab. If you don't, the user will be required to enter the OTP every time they roam, which is never a good thing!

The alternative to PEAP-GTC is EAP-TLS, which is supported by windows, but instead of using an OTP key fob, you issue users with smart cards. The smart card is protected by a PIN, and contains a user-certificate, thus giving you the same levels of 'something you have + something you know' security, without the need for purchasing & supporting 3rd party software. The downside is that you really need to run your own CA, which many people don't / can't do.

If you're really paranoid, you should also allow Machine Authentication, and enforce Machine Access Restrictions. This means that even if somebody does work out all of the settings needed for the WLAN, plus they get a smart card & PIN, they still can't get their own laptop on to the network because the machine it's self is also required to authenticate its self.

I hope that helps, any more questions / information, please post and I'm sure somebody will help you out.

Rgds,

Richard

199
Views
0
Helpful
1
Replies
CreatePlease login to create content