Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure LEAP settings on ACS 5

Introduction

 

 

This document will provide you the information on how to configure LEAP authentication on ACS 5.

 

Requirements

Ensure that you meet these requirements before you attempt this configuration:

 

  • Define NCS as a client in ACS.
  • Define the IP address and an identical shared secret key on the ACS and NCS.
  • Make sure that LEAP client settings are appropriate.

 

Components Used

The information in this document is based on these software and hardware versions:

 

  • ACS 5.4
  • NCS prime 1.1
  • LEAP client

 

The  information in this document was created from the devices in a   specific lab environment. All of the devices used in this document   started with a cleared (default) configuration. If your network is  live,  make sure that you understand the potential impact of any  command.

 

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

 

 

Configuration ON ACS.

In this section, you are presented with the information to configure the features described in this document.

 

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

 

 

Step 1.Go to Access Service> default Network Access > allowed protocols> select Preffered EAP as LEAP.

 

protocol.jpg

 

 

Step2. Go to Access Service> default Network Access > Identity> select the Internal users.

 

Identity1.jpg

 

Step3. Go to Access Service> default Network Access > Authorization>create a rule

 

authorizationrule.jpg

 

Step 4.Click ok

 

authrule2.jpg

 

 

Step5. save changes and test authentication.

When you test the client using LEAP , It should work fine.

 

Scenario 2

Problem:

User trying to implement RSA two-factor authentication for his company for access to secure resources.

  • Current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
  • I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
  • We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.

I cannot figure out how to configure this.  With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against.  Not as easy with 5.x

I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found.  This broke VPN completely.

From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.

Anyone know how to accomplish this? I am running 5.4 with the latest patches.

 

Solution:

 I think there is an additional attribute that defines the name of the external store that was authenticated against. Variable is called "AuthenticationIdentityStore" and is in system dictionary. In fact this is last database that was used to check authentication. In case authentication passed it will in fact be the database against which authentication passed

Therefore, best conditon to use is ("System:AuthenticationIdentityStore" equals "RSA" ) and ("System:AuthenticationStatus" equlas "AuthenticationPassed" )

  1. This will check if authentication was done against RSA
  2. One other thing that may be useful as an additional data point
  3. If you look at the definition of the RSA object on ACS it has a timeout setting. By default this is 30 seconds.

It may be worth reducing this and see whether it reduces the round trip time for the case of the user not found while still being short enough for users that are found

May not solve anything but can be an additional datapoint to see if the timeout on ACS side is the thing that is terminating the interaction

Each of the results in your identity policy are only selecting a single store; either RSA or AD1

You need to:

  • Create an identity sequence: Users and Identity Stores > Identity Store Sequences
  • select Password based and then add both RSA and AD1 in the selected list in the order you desire
  • Once this is created; select as as the "Identity Source" in the identity policy

 Source Discussion:

Discussion

Version history
Revision #:
1 of 1
Last update:
‎05-16-2013 03:47 PM
Updated by:
 
Labels (1)