Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How 2 configure ACS 4.2 to delegate authentication to radius server

Hi,

We need to run the following scenario:

Cisco VPN client (or Any Connect, Cisco SSL VPN client) ----> Cisco ASA 5520 -----> Cisco ACS 4.2 -----> CAT Authentication Server


The CAT Authentication Server is a Radius Server. It can receive Radius Authentication requests and respond. It is used for TFA OTP strong authentication in a similar way to the RSA OTP Tokens.

The question is: How do we configure the ACS 4.2 to delegate the Authentication Request to another Radius server.

Thnx

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).

Easy as pie!

Please rate if this is helpful.

Re: How 2 configure ACS 4.2 to delegate authentication to radius

You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.

Cheers,

Tim

8 REPLIES

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Add the RSA server as an External Database, configure the user or group profile dropdown for authentication to the new external database rather than ACS Local DB (or Windows DB).

Easy as pie!

Please rate if this is helpful.

New Member

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Hi Tim,

Thanks.

Just to be sure - when you add a new External Database - you are defining a Radius server ? That's the Radius server IP and shared secret. right ?

Is there a Cisco document that describes the process and/or a step by step instructions ?

I'm asking, because I don't have the Cisco installed at our server, it is installed at a customer of ours and I need to be sure.

You know how customers are...

Many thanks.

New Member

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Tim,

One more thing.

Please notice that we do not use RSA, we have a Radius server like FreeRadius for example.

Thanx

Re: How 2 configure ACS 4.2 to delegate authentication to radius

You can define any radius server as an external authentication database. Basically, an external database is just a system that can authenticate requests outside of ACS's authority. You just configure it under RADIUS token server, and it will appear in the dropdown under user or group profiles. I've had this work with Microsoft IAS, FreeRADIUS, and RSA SecurID Server.

Cheers,

Tim

New Member

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Many thanks !!! much appreciated.

New Member

How 2 configure ACS 4.2 to delegate authentication to radius ser

Hi,

I would like to configure the below setup:

End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.

Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in

ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.

Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?

Any help on this would be really grateful to me.

Thanks and Regards,

Rahul.

New Member

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Hi Tim,

We have already tried configuring RADIUS Token Server External User Database connector, but it didn’t work.

Maybe it’s because we already have Windows AD connector configured on Cisco ACS 4.2? Maybe it is not possible to have in the same time, both connectors: to Windows AD and to RADIUS Token Server External User Database (meaning CAT AS)?

Thanks

Re: How 2 configure ACS 4.2 to delegate authentication to radius

Hi Arnnei,

I have a Windows Connector and a RSA SecurID Connector at the same time and they work fine. Can you please specify what didn't work? You need to be sure to add the ACS Server as a RADIUS Device on the RADIUS server so it can talk, and make sure RADIUS is open on the firewall between the two devices. Hook up a sniffer (wireshark/etc) and see if the packets are going to the RADIUS server. If they are, then the configuration issue is on the RADIUS side. If not, then something is wrong on the ACS Side.

You must ensure that a user has been created and has the RADIUS server in the Password Authentication box under the User Setup section.

Please check those things and respond.

Thanks,

Tim

2436
Views
0
Helpful
8
Replies