ACS 5.3 integration with RSA
Hi people,
I joined the ACS 5.3 to AD.
Now, my next goal is to integrate with RSA ACS so that all my Cisco devices must use the username and password of the pub.
The enable privilege level should come from the OTP Token RSA.
Is it possible to do such a thing with ACS 5.3?
If yes how can I do?
Thank you
Maury
I think that may try to make a rule in politics of identity based on the attribute of Service in the dictionary GANYMEDE +.
(this is not tested and based on my memory would need your checking)
(1) create a condition custom attribute service GANYMEDE + dictionary
Elements of strategy > Session Conditions > Custom
Create: Dictionary: GANYMEDE +; Attribute: Service
(2) use generally in identity politics Device Admin
Access policies > access > default device Admin > identity
SSelect a rule based
Customize the condition function 1
Create a rule for when the Service is to 'enable '. Select the source of identity as RSA in this case
Tags: Cisco Security
Similar Questions
-
Remote access VPN integration with RSA token
Hello friends,
I currently have an ASA 5520 9.0 focusing distance french authenticated VPN access a Radius of the ACS server. I also have a server ACS Ganymede + allowing to authenticate access to network devices (routers, switches, etc.). My Manager asked me to include a second level of authentication through RSA token´s. Question´s:
How does it work?
Can I use my ACS Ganymede + as a method of redundancy for authentication of the VPN´s in the case where my Radius server goes down?
I can use my ACS server RADIUS as a method for redundancy for managing my network devices in the case of authentication my Ganymede + server goes down?
In addition, the RSA token can be used to authenticate access to manage network devices?
Any comments will be appreciated.
Kind regards!
RSA has built in the radius server and itself it can serve as a factor of two.
using Token RSA server inside itself is two factor when you use a PIN and access code.
Using of Ganymede + for VPN is not possible.
Check with your administrator RSA for the integration steps.
Is that you can directly integrate the ASA with RSA and integrate with RSA ACS as well.
This way you have redundancy in the RSA server.
http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...
http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...
Rate if useful :)
Knowledge sharing makes you immortal.
Kind regards
Ed
-
Hello
can someone help me find a document for ACS 5.1 appliance, integration GANYMEDE + (configuration) with my WLC. configuration of RADIUS also for clients.
all configuration of wireless controller shows only acs 4.x integration.
Thanks in advance
Hello
There is unfortunately no official configuration example for this right now.
Haowever, you can view these screenshots I took an example of laboratory, to set up the profile of shell and pass it back due to the authorization rule.Hope this helps,
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it. -
Cisco ACS 1113 appliance v4.1 - integration of RSA Securid v6.1
The Windows of Cisco ACS version seems to have the ability of integration with RSA Securid its listed in external databases. It can also support the SDI Protocol if you install the agent on the Windows ACS platform. I need to use a Cisco ACS 1113 but RSA Securid does not appear in the section external databases. This mean that I won't be able to use the SDI Protocol only available RADIUS.
And Yes you are right,
With ACS, we need to configure using RADIUS, on ACS SE it won't work with SDI.
Kind regards
Prem
-
ACS integration with Microsoft Active Directory Services
Hi all
I was responsible for developing the integration of GBA with MS AD. What I want to know is below assuming I have a software ACS or ACS device and the authentication protocol's RADIUS
-What is the criterion of the announcement to integrate with ACS to device software
-Should that AD hosted on the domain controller or not?
-Otherwise, on what (DC, tree, forest, branch, flower, Fruit) the announcement must be hosted on?
-What should I do to authenticate users logging into Cisco ACS Security Manager integrated with AD?
-Are there other dependencies that I'll have to speak categorically in my description?
Thank you
Rishi
First of all, I love the flower fruit one keep it up.
If ACS is for windows, it can be installed on the domain controller or member server. For detailed information about installation tasks post must have full integration, please see the following link that contains fancy things you are looking for:
If ACS is soultion engine then you need piece of software called remote agent to be installed either on the domain controller or member server, also check the following link for more details on how to integrate it with AD:
I hope this was informative for you.
-----------------------------------------------------------------------------
Please ensure good answers to rate
-
Secure ACS Authentication and Authorization with SecurID
I am able to authenticate connection attempts using an external database (RSA SecurID). The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access). How can I allow users based on a certain type of belonging to a group? The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.
I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect. I can't find guides who do anything beyond authentication when you use a SecurID token.
Thank you.
Hello
Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.
-
Problem ACS 4.0 and Server RSA Token
Hello
We are having a problem trying to get 4.0 for Windows GBA authenticate users on a Server Token RSA wireless.
Our Cisco 1200 AP series is configured for WPA2 and LEAP Authentication. He points to the ACS server for RADIUS authentication. Now, it works very well for users with a static password defined on the internal database of GBA. However, for obvious security reasons, we? d as the transmitted authentication to our server internal RSA.
I installed RSA Agent on the same server as the ACS along (after adding the sdconf.rec file in the System32 folder). The RSA server was added to the ACS external database and a user configured to use the Token RSA server for password.
When we try to authenticate, the ACS fails the attempt with reason? External DB passes invalid?. The same user can authenticate successfully during the use of the RSA test authentication tool that is installed on the ACS server under the RSA Agent software.
After running some debugs a pix in front of the servers, I see traffic to and from the servers when you use the test tool (that works), but it looks like GBA doesn't? t even send traffic to the RSA server during authentication.
Any help or advice appreciated.
Thank you
no no no no! Do not use EVER of RSA with WIFI + PAP.
The token + pin can be sniffed and is good for 60 seconds... on the Wifi which is disastrous.
-
Hello!
Well, when I tried to compute the definite integral of | Sin x | I received the message cannot find the signin [0, 2 ft].
I went in RPN mode, and this error persists. I then used [RS] [ENTER] to get the numeric result, and after awhile, I got the correct answer 4. But I can't get the answer simplely by clicking [EVAL].
I also tried to calculate the antiderivative, and the correct answer returned Calculator -cos (x) * sign (sin (x)). I was wondering why the calculator produces an error when they apply for an accurate result (not digital, without .).
Jack
confirming the latest set of equations:
EVAL would be = - 1
and -> limit X PI - 0 = 1
and the limit X-> PI = cannot determine.
So, there's a singularity...
Unfortunately, because of the resolution of the screen of 50 G, when the resulting equation for the indefinite integral is drawn, clear breaks in the plot IP and 2 * PI are not 100% clear.
However, the subsequent calculations confirm that they exist.
This is what has been shown that when the original integral from 0 to 2PI of | Sin (x) | is calculated,
It is clear that the 50G automatically sets ON RIGOUREUX, even if it is not enabled in the (likely due to the function absolute value in the equation) indicators.
THE rigorous is perfectly reasonably expect when the EXACT mode is selected with a function of absolute value.
now for a pencil and paper method:
| Sin (x) | is sin(x) from 0 to PI
| Sin (x) | is - sin (x) IP to 2PI
so...
integral from 0 to 2PI of | Sin (x) | can also be expressed in
integral from 0 to PI of Sin (x)
+
integral of the AP to 2PI of-sin (x)
in EXACT MODE (strict mode setting is more questions)
When EVAL would be = 4.
I can refer you to a message done previously by Bernard Parisse (one of the developers of CASE). Bernard said that the CASE cannot intercept all EXACT integration singularities (but it report some).
Regarding the digital approximation method (help-> NUM) to get the result... I can't offer no answer as to the reason that the singularity is resolved.
I've never seen a single post indicating what type of digital approximation algorithms are used for approximate integration with the 50G. Of course, the digital approximation algorithms are distinguished by exact calculations.
Finally, FYI, here is another good example of the use of 50G with an integral and having to use a bit of paper and pencil methodology (in this case, the method of cauchy principal value) to solve the 50G of the singularity.
/T5/calculators/50g-numerical-integration-with-singularities/m-p/5678169#M11440
-
Is there a work around to show the Site identity button when the integration with facebook like/send etc. It disappears when it comes to the page, it's because of the iframe
What can be done if anything.
Pages that use "mixed content" (parts of the use of the HTTP page and some use HTTPS) are not secure against tampering, they will not display the site identity button. To resolve this problem, make sure that external resources you are incorporation are available over HTTPS and you use HTTPS to nest them.
For example, to iframe widgets like the Facebook 'Like' buttons, make sure that your iframe use src = "https://192.168.1.20 /...". »
See also discussion here: http://stackoverflow.com/questions/3587021/facebook-like-button-breaks-https-ssl
-
CRM integrated with MS Project Management
Hi Expert,
On the CRM integrated with MS Project Management, there any company always do this?
In fact, there are only certain configurations or it's really complicated customization?
The result of the integration is really effective and efficient?
Can share with me the practice of MS Project to the planning of resources management?
Thank you!
Hello
The question you posted would be bettersuited in the TechNet Forums. I would recommend posting your query in the TechNetForums for more assistance:
http://social.technet.Microsoft.com/forums/da-DK/projectserver2010general/threads
-
While freeing up disk space, I accidentally deleted MSOffice, which is integrated with my HP 1000
While freeing up disk space, I accidentally deleted MS Office which is integrated with my laptop HP 1000. How to restore my MS Office 2010 Starter? HP predict that if the product is still in warranty period?
I tried restoring the setting factory but without any real help. Please help me!
Kind regards
Ron
Once Office Starter is removed there is no way to reinstall. Even make a system back to factory settings recovery will not reinstall it.
-
Hello
Is it possible to integrate 20 SX with VCS.
Because our customer want to integrate with their MS Lync TP, so found that VCS can do this job. Then please suggest...
Here also to point out that we are planing to use the public IP address for SX 20 to receive incoming calls from the public IP address, as it will be integrated with ISDN gateway.
Details of the product for this solution:
VCS
SX 20
TP ISDN Gateway
Thanks in advance...
Kind regards
Daniele
Yes, its possible, check this.
-
Replacement of 6000 MXP Integrator with unique display. C40 SX20 vs?
I have to make a quick decision and my CISCO sales representative is MIA :(
We have a bunch of 6000 s MXP (package ingegrator), I would like to replace. They are simple installations with a single monitor on a roll integer grid.
with output to the screen and a camera is there any point to spend the extra money for a C40 vs getting a SX20? From a point of view video capability they look pretty well. C40 more things gets me in the back, but it is a pretty simple setup.
Just looking for what people here could do?
Thank you!
Although C40 and SX20 are two different solutions for videoconferencing from Cisco, an integrator (c40) and other is fast setting solution (SX20).
The SX20 Quick Set is designed to provide multi-party and Conference video to high definition with the flexibility to adapt to various configurations - all at a value price and size of the room.
C40 is for Integrator supports for integration with 3 party like crestron devices, mixers.
two take in charge the premium 1080 p solution.
both are excellent solutions and are mind blowing in the feature and the feature as compare to the MXP series.
You can't go wrong with either.
-
Web authentication with RSA SecureID on a Cisco Switch
Hello
I recently searched by linking in our Cisco Switch of GB 2960 S with RSA SecureID via Radius
I already managed to tie in to ssh access
but I failed to make it work for http / web access to the switch
I think it's because we use 'single use' maximum security with RSA SecureID tokens
the web interface tries to authenticate several times against the Radius server RSA SecureID part
(agreement on the first authentication, but every time after that he's going to want a different code in token)
I was wondering if anyone knew a way around this? (if there is a way to get the right switch authenticate once instead of multiple times the radius server)
FYI, the switch is a WS-C2960S-24TS-L with IOS 15.0 (1) SE2
Hello Chris,
You can test the following configuration?
AAA webtac_grp radius server group
Server
expiration of cache 1
authorization cache profile httpauth
hiding authentication profile httpauth
!
AAA authentication login httpauth cache webtac_grp group webtac_grp
AAA authorization exec httpauth cache webtac_grp group webtac_grp
AAA authorization network httpauth cache webtac_grp group webtac_grp
AAA cache profile httpauth
all the
IP http server
IP http authentication aaa - authentication of the connection httpauth
IP http authentication aaa exec-authorization httpauth
RADIUS server host key *.
I know for sure the above configuration works when you use GANYMEDE + instead of RADIUS in order to avoid multiple guests due to the authentication of JAVA Applets to access the GUI of the IOS. I him have not tested against RSA acting as an authentication server.
NOTE: As "aaa authorization exec" is configured the RSA should send Service-Type attribute with administrative value for it to work as expected.
If this was helpful please note.
Kind regards.
-
Integration with the PIX IDS firewall
I read the Release Notes for Cisco Intrusion Detection System Sensor Version 3.0 S4 (1), and tripped on the new features of this version it pretends the integration with the PIX firewall
How do implement you this? What kind of integration offer?
Instructions for the sensor and the basic configuration of PIX can be found here:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23
Instructions for sensor and PIX SSH configuration can be found here:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16
You can configure the sensor to connect to the PIX via telnet when
using the PIX inside interface, otherwise you have to use SSH.
SSH with 3des encryption is supported in version 3.0 or later
sensors for connections of PIX.
Warning: If you use telnet with a version 6.2.1 or PIX more late or if
you want to use SSH with encryption on any PIX, so you
need a patch for your sensor. If so, open a case of TAC and demand
the latest version of nr.managed engineering. Reference
[email protected] / * / for any question.
Maybe you are looking for
-
Start page does not update after you run the update
Run the update, on shows 9.0.1 and up-to-date... but everytime I open the browser, it shows that I'm behind and that you need to update? I refreshed, etc... always won ' accepts that I'm updating
-
Satellite L450D-128 - Wireless internet does not connect
Hello I have a Toshiba Satellite L450D-128 and it won't let me connect to a wireless network and I can't find the switch wireless and ive tried FN + F8, but it does not work. Could you please help. Thank you Ryan
-
Cannot send the Dolby Digital XP on Satellite P100-347
The problem I have is that I can't get the Dolby Digital to send from my laptop to my amp, apart from the use of the library. I have the portable (Tosh P100-347) connected to my amp via a SPDIF cable. Basically, in Media Center, I am able to change t
-
Suddenly my MacBook Pro Mid 2010 restarts
This is the error that appears when it is restarted. It happens at least 2 times a day randomly. Anonymous UUID: A881BF44-7E2E-2194-90D5-9E4E95EFCC8C Sat Jan 9 14:55:02 2016 Panic report *. panic (cpu 0 0xffffff7f8bdf5bd5 appellant): "panic GPU: 7f [
-
Why is my VN7 - 591 G-792U missing blackedition coolboost and defender for the quick dust?
Just brought and I can find the coolboost and dust quick access to Defender. There is only blue light option showing. Please help tried reinstall but nothing works.