Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP with ACS and RSA SecurID

Hi all,

We connect the wireless LAN with PEAP for authentication. The back end RADIUS is using Cisco ACS with AD domain username and password. Can I use the RSA SecurID instead of the AD username and password for authentication? I configured the ACS to point to the RSA ACE server. However, when I connect the wireless LAN, the ACS did not query the RSA ACE server and the ACS log said "External DB auth failed". I am sure the connections between the ACS and the RSA ACE server is okay because I configured a router console login with the RSA SecurID authentication through the ACS server and it was okay. Does anyone have any idea? Thanks.

3 REPLIES
Bronze

Re: PEAP with ACS and RSA SecurID

This is an ACE problem with the passcode. During this time, the ACS Failed Attempts log shows either the message "External DB auth failed" or "External DB user invalid or bad password".

http://www.cisco.com/warp/public/480/csntsdi.html

New Member

Re: PEAP with ACS and RSA SecurID

I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.

I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.

The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

New Member

Re: PEAP with ACS and RSA SecurID

"About Token Servers and Cisco Secure ACS"

"Cisco Secure ACS provides ASCII, PAP, and PEAP(EAP-GTC) authentication using token servers. Other authentication protocols are not supported with token server databases"

In working with a Cisco engineer, it appears the trick may be to use EAP-GTC - Generic Token Card, (which may require using RADIUS and not the RSA API)

506
Views
0
Helpful
3
Replies
CreatePlease login to create content