Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
How to configure LEAP settings on ACS 5
This document will provide you the information on how to configure LEAP authentication on ACS 5.
Ensure that you meet these requirements before you attempt this configuration:
Define NCS as a client in ACS.
Define the IP address and an identical shared secret key on the ACS and NCS.
Make sure that LEAP client settings are appropriate.
The information in this document is based on these software and hardware versions:
NCS prime 1.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Step 1.Go to Access Service> default Network Access > allowed protocols> select Preffered EAP as LEAP.
Step2. Go to Access Service> default Network Access > Identity> select the Internal users.
Step3. Go to Access Service> default Network Access > Authorization>create a rule
Step 4.Click ok
Step5. save changes and test authentication.
When you test the client using LEAP , It should work fine.
User trying to implement RSA two-factor authentication for his company for access to secure resources.
Current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
I cannot figure out how to configure this. With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against. Not as easy with 5.x
I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found. This broke VPN completely.
From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
Anyone know how to accomplish this? I am running 5.4 with the latest patches.
I think there is an additional attribute that defines the name of the external store that was authenticated against. Variable is called "AuthenticationIdentityStore" and is in system dictionary. In fact this is last database that was used to check authentication. In case authentication passed it will in fact be the database against which authentication passed
Therefore, best conditon to use is ("System:AuthenticationIdentityStore" equals "RSA" ) and ("System:AuthenticationStatus" equlas "AuthenticationPassed" )
This will check if authentication was done against RSA
One other thing that may be useful as an additional data point
If you look at the definition of the RSA object on ACS it has a timeout setting. By default this is 30 seconds.
It may be worth reducing this and see whether it reduces the round trip time for the case of the user not found while still being short enough for users that are found
May not solve anything but can be an additional datapoint to see if the timeout on ACS side is the thing that is terminating the interaction
Each of the results in your identity policy are only selecting a single store; either RSA or AD1
You need to:
Create an identity sequence: Users and Identity Stores > Identity Store Sequences
select Password based and then add both RSA and AD1 in the selected list in the order you desire
Once this is created; select as as the "Identity Source" in the identity policy