ASA and RSA SecurID
Hello
I have a question about Cisco AnyConnect and RSA SecurID.
I need to define users to groups in the RSA SecurID server.
When I try to create a profile and a group of tunnel and then authenticate with the server RSA I just see the user name.
Successful AAA user authentication: server = 10.210.x.x: user = test
I need the group name(for authorization) with name tunnel user to send to the RSA server.
Successful AAA user authentication: server = 10.210.x.x: Group = tunnel: user = test
There are good documents on this subject?
You can create groups for some external user databases maps based on the combination of the external user database groups to which users belong. The following types of data are the types of database external user for which you can create group maps based on membership in a group together:
Windows domains.
Generic Lightweight Directory Access Protocol (LDAP).
The following URL can help you in the group mapping configuration:
Tags: Cisco Security
Similar Questions
-
Hi all
I replaced our old Pix 515 for a new ASA 5520.
On the Pix (running ios 6.x) we have configured the pix to use an RSA SecurID appliance AAA server to authenticate remote VPN clients. To do this, we set up a group AAA using the radius Protocol. Now, for the SAA, I found documentation indicating that I need to create a group AAA that uses the SDI Protocol.
Now my questions are
(1) can I still use the RADIUS Protocol on the SAA is to authenticate with RSA SecureID, or what I have to use SDI?
(2) if I have to use SDI does mean I also have to change the configuration on my RSA I used to authenticate users of the PIX?
Kind regards
Screech
Hi little Duke
(1) you can still use the RADIUS.
(2) Yes, you would need to allow auth requests come from ASA
Roman
-
Access through RSA SecurID w / RADIUS ASA
Hello
I'm trying to configure AAA to access our ASA box. I have an RSA SecurID appliance with the operation of Steel Belted Radius. I have implemented access SSH and telnet without any problem.
However, when I try to access it via HTTP or with the ASDM, it will not authenticate. I enabled http server and added the appropriate commands, but what actually happens is when I try to log on by HTTP, it sends 2 RADIUS, 1 queries immediately after the other. So one gets accepted, 2nd gets rejected. I think it's because you cannot authenticate twice with the same token on the RSA code, so why the 2nd request is rejected. But he should not be sent 2 requests in the first place.
This does not happen through SSH.
I have attached a log from the flow of connection through the FW...
Any help is greatly appreciated!
Hello
ASDM will not work with Server Token RSA generated passwords. Generated by the Token RSA server past are one time only use. They expire after the first use. ASDM uses Java that caches of authentication once connected at the start. For all transactions http subsequent of the ASDM, uses Java caching of authentication information when communicating with the device. Each action of ASDM to the device is a transaction independent http involving any SSL handshake, but that Java uses cached authentication information users do not have to re-enter it.
ASDM works only if the configured authentication mechanism uses persistent passwords. Unique PASSWORD mechanisms do not work with the ASSISTANT Deputy Ministers.
Try to test http authentication with a user account local on the Radius Server and verify the results.
I hope this helps.
Soumya
-
Using RSA SecurID authentication
Hello
I'm trying to secure the access, the use of RSA SecurID for the following 2 scenarios:
SSH/telnet/console to any Cisco device (router, Switch, Firewall)
-Users of SSL VPN
Is it possible to do this integration directly between the Cisco device and the RSA SecurID itself? Or it is necessary to have GBA between the two? \
Thank you
Justine.
With the switches/AP/router only radius and Ganymede are supported you can configure IOS devices for the radius Protocol and the server as a token of RADIUS server.
http://www.Cisco.com/c/en/us/TD/docs/iOS/12_2/security/configuration/GUI...
ASA only supports SDI Protocol, so you can integrate the RSA securID directly with her.
SDI on SAA
http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...
SDI with ACS
http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...
You can read the discussion on the similar requirement.
https://supportforums.Cisco.com/discussion/11259716/RSA-SecurID
~ BR
Jousset
* Does the rate of useful messages *.
-
Cisco ACS 1113 appliance v4.1 - integration of RSA Securid v6.1
The Windows of Cisco ACS version seems to have the ability of integration with RSA Securid its listed in external databases. It can also support the SDI Protocol if you install the agent on the Windows ACS platform. I need to use a Cisco ACS 1113 but RSA Securid does not appear in the section external databases. This mean that I won't be able to use the SDI Protocol only available RADIUS.
And Yes you are right,
With ACS, we need to configure using RADIUS, on ACS SE it won't work with SDI.
Kind regards
Prem
-
Anyone who has used RSA Securid token to connect to the Cisco routers, switches and firewalls to manage. He even supported on Cisco devices? I speak NOT of the VPN access.
Any help will be greatly appreciated.
Thank you
Lake
Yes, I have. On the router and switches that you authenticate directly to the RSA server, it goes through an intermediary, such as Cisco ACS.
-
After Anyconnect I can't access to asa and LAN
Dear all,
My office use ASA 5505 and I use anyconnect from outside (sometimes overseas), I can connect to my network and business by ASA, internet access, but I can't access ASA and LAN (network of my client). WHY?
Office 192.168.10.0/24
192.168.11.0/24 VPN
How can I solve this problem?
ASA Version 9.2 (3)
!
ciscoasa hostname
activate the encrypted password of XXXXXXXXXX
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd encrypted XXXXXXXXXX
names of
192.168.11.1 mask - 192.168.11.10 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP AAA. BBB. CCC DDD EEE. FFF. GGG. HHH
!
boot system Disk0: / asa923 - k8.bin
passive FTP mode
clock timezone 8 HKST
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic intra-interface
network of the VPN_Pool object
subnet 192.168.11.0 255.255.255.240
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
DefaultRAGroup_splitTunnelAcl_1 list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
interface NAT (outside, outside) dynamic source VPN_Pool
NAT (inside, outside) static source any any static destination VPN_Pool VPN_Pool non-proxy-arp-search to itinerary
!
!
NAT source auto after (indoor, outdoor) dynamic one interface
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 AAA. BBB. CCC DDD. 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Activate Server http XXXXX
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA SHA-ESP-3DES ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-ESP ESP-3DES-SHA-TRANS TRANS-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = ciscoasa
Configure CRL
Crypto ca trustpoint Anyconnect_Self_Signed_Cert
registration auto
name of the object CN = ciscoasa
Configure CRL
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
name of the object CN = 115.160.145.114, CN = ciscoasa
Configure CRL
trustpool crypto ca policy
string encryption ca Anyconnect_Self_Signed_Cert certificates
certificate 5c7d4156
308202d 4 308201bc a0030201 0202045c 415630 0d06092a 864886f7 0d 010105 7 d
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a 8648
09021608 63697363 6f617361 31353131 31303131 31363231 301e170d 86f70d01
5a170d32 35313130 37313131 3632315a 302 c 3111 55040313 08636973 300f0603
636f6173 61311730 1506092a 864886f7 0d 010902 16086369 73636f61 73613082
0122300d 06092 has 86 01010105 00038201 0f003082 010a 0282 010100cc 4886f70d
af43a895 8c2c3f49 ad16c4b9 a855b47b 773f4245 1954c 728 7 c 568245 6ddc02ab
78 c 45473 eb4073f6 401d1dca 050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa
454ff4bb 691235ab 34e21d98 4cfecef4 204e9c95 76b1b417 b5cf746c 830788b 4
60063e89 0ffe5381 42694cf8 d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67
4ad8954f 5392790b 4ded225c c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a
d054a290 14316cc0 1670bdea f04c828b 7f9483fb 409fa707 fbe5a257 33597fed
ca790881 b1d4d3dc b0e1095e bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1
8b9421fa ee2b99ae df07fba1 0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02
03010001 300 d 0609 2a 864886 05050003 82010100 c8719770 1305bd9c f70d0101
2608f039 0dc6b058 0dfe3d88 76793 has 18 8f601dda b 8553, 893 d95e3b25 30ef7354
772f7d0b 772869d 7 372f8f5c f32992af fa2c8b6e 0f0ae4ce 4e068b8d b7916af2
affa1953 5bfd01a6 1a3c147d 75d95d8c 1122fa85 3905f27b 2474aff4 11fff24f
c305b648 b4c9d8d4 9dcf444b 9326cda3 0c4635d0 90ff8dd8 9444726c 82e002ec
be120937 0414c20a 39df72fb 76cd9c38 cde9afda 019e9230 66e5dba8 ed208eae
5faabb85 ff04f8f2 c36b724b 62ec52cc f967ee1d 1a6458fc 507a 2377 45 c 20635
2c14c431 baac678a dcc20329 4db7aa51 02c 36904 75b5f307 f1cc056d 726bc436
597a 3814 4ccd421d cb77d8f5 46a8ae69 2d617ac8 2160d7af
quit smoking
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 5d7d4156
308201f0 30820308 a0030201 0202045d 415630 0d06092a 864886f7 0d 010105 7 d
05003046 06035504 03130863 61736131 18301606 03550403 6973636f 3111300f
130f3131 352e3136 302e3134 352e3131 1506092a 34311730 864886f7 0d 010902
73636f61 16086369 7361301e 170d 0d 323531 3135 31313130 31323136 35395a 17
3111300f 06035504 03130863 6973636f 61736131 a 31303731 32313635 395, 3046
18301606 03550403 130f3131 352e3136 302e3134 352e3131 1506092's 34311730
864886f7 0d 010902 16086369 73636f61 73613082 0122300d 06092 has 86 4886f70d
01010105 00038201 0f003082 010 has 0282 010100cc af43a895 8c2c3f49 ad16c4b9
a855b47b 773f4245 1954c 728 7 c 78 45473 eb4073f6 401d1dca 568245 6ddc02ab
050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa 454ff4bb 691235ab 34e21d98
b 830788 4 4cfecef4 204e9c95 76b1b417 b5cf746c 60063e89 0ffe5381 42694cf8
d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67 4ad8954f 5392790b 4ded225c
c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a d054a290 14316cc0 1670bdea
f04c828b 7f9483fb 409fa707 fbe5a257 33597fed ca790881 b1d4d3dc b0e1095e
bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1 8b9421fa ee2b99ae df07fba1
0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02 03010001 300 d 0609 2a 864886
05050003 82010100 00089cd 3 d0f65c5e 91f7ee15 bbd98446 35639ef9 f70d0101
45b 64956 f146234c 472b52e6 f2647ced a109cb6b 52bf5f5d 92471cb7 a3a30b63
052ac212 c6027535 16e42908 ea37c39a 4d203be9 8c4ed8cd 40935057 3fe8a537
a837c75c feff4dcc 1b2fd276 257f0b46 8fcd2a5c cbdcacec cd14ee46 be136ae7
7cd4ae0d aace54fe 5187ea57 40d2af87 cded3085 27d6f5d8 1c15ef98 f95cc90e
a 485049 4 805efa8f 63406609 a663db53 06b94e53 07c1c808 61eadcdb 2c952bee
74a0b3dd ae262d84 40b85ec5 a89179b2 7e41648e 93f0e419 3c482b29 e482d344
d756d450 8f0d9302 d023ac43 a31469a4 105c8a0c b1418907 693c558c 08f499ef
364bc8ba 4543297a a17735a0
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint Anyconnect_Self_Signed_Cert
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assigndhcpd 192.168.10.254 dns 8.8.8.8
dhcpd rental 43200
!
dhcpd address 192.168.10.1 - 192.168.10.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP AAA server. BBB. CCC. Source DDD outside prefer
SSL-point of approval ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
AnyConnect profiles Anyconnect_client_profile disk0: / Anyconnect_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal DefaultRAGroup_2 group strategy
attributes of Group Policy DefaultRAGroup_2
DNS-server AAA value. BBB. CCC AAA DDD. BBB. CCC DDD.
Ikev2 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
internal GroupPolicy_Anyconnect group strategy
attributes of Group Policy GroupPolicy_Anyconnect
WINS server no
value of server DNS 8.8.8.8 8.8.4.4
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
Split-tunnel-policy tunnelall
IPv6-split-tunnel-policy excludespecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl_1
by default no
activate dns split-tunnel-all
IPv6 address pools no
WebVPN
AnyConnect value Anyconnect_client_profile type user profiles
username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
attributes of username XXXXXXX
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
attributes global-tunnel-group DefaultRAGroup
address pool VPN-pool
Group Policy - by default-DefaultRAGroup_2
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared key XXXXXXXXX
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group Anyconnect type remote access
tunnel-group Anyconnect General attributes
address pool VPN-pool
Group Policy - by default-GroupPolicy_Anyconnect
NAT - to-public-ip assigned inside
tunnel-group Anyconnect webvpn-attributes
enable Anyconnect group-alias
tunnel-group Anyconnect ppp-attributes
ms-chap-v2 authentication
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
Review the ip options
!
service-policy-international policy global
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:24991680b66624113beb31d230c593bb
: endHi cwhlaw2009,
You must configure a policy Split-tunnel, if you want to be able to access the internal and local network at the same time.
It may be useful
-Randy-
-
Double authentication using LDAP and RSA
I would use LDAP and RSA (double authentication) for my SSL VPN clients. Can I authenticated users if my logon page requires users to enter a second username. If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers. I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.
If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.
Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?
Thanks in advance.
Matt
Hi Matt,
I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:
CSCte66568 Double authentication broken in 8.2.2 during use-primary-username is CONF.
If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.
HTH
Herbert
-
Cisco ACS 5.1 and RSA Authentication Manager 6.1
Hi all
We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support
Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.
I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).
I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.
Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.
Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?
Hoping that you guys help me as usual when I'm in a hurry...
Sree
Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?
If you go to
Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?
-
SSO with WebVPN ASA using RSA tokens
Current configuration:
Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager.
I've got of authentication works great, at the first connection, users can connect with their AD usernames and RSA tokens and generate his pin code.
We used to use ACS express and their advertising information for vpn authentication, but now we have to two factors of authentication.
Is it possible to some how to maintain SSO so that when the user authenticates via its RSA token they can always browse through OWA, Sharepoint, CIFS (file share) without having to enter their credentials for the AD?
Any help or information is much appreciated.
Thank you
You can activate the field "internal password" on the customization of WebVPN and also re-name-the ("Password AD" for example) and then configure the entries in the auto-code of access for internal URLS on NTLM. Such that when the guest servers the WebVPN session will send the user name used to connect to the ASA but send the internal password captured during the connection instead of the password used to connect to the WebVPN himself.
The only problem I saw during the test, there is no seam to be a graceful way to establishing a password incorrect or missing, then NTLM would fail and fall back basic over ssl. Finally it would block the AD accounts based on URL how much the user has tried when the password entered when the connection is bad or missing (because it failed to connect to the WebVPN).
-
Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
Hello
I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)
I create several groups within the Active Directory server, I try to give to users for their groups different access rights.
I tried to define an access policy "NetOp/NetAdm" and two authorization rules:
Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0
Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0
Default: refuse
In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.
But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.
My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?
The stages of monitoring:
Measures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - NetOp/NetAdm service policy
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - server RSA
24500 Authenticating user on the server's RSA SecurID.
24501 a session is established with the server's RSA SecurID.
24506 check successful operation code
24505 user authentication succeeded.
24553 user record has been cached
24502 with RSA SecurID Server session is closed
Authentication 22037 spent
22023 proceed to the recovery of the attribute
24628 user cache not enabled in the configuration of the RADIUS identity token store.
Identity sequence 22016 completed an iteration of the IDStores
Evaluate the strategy of group mapping
15006 set default mapping rule
Authorization of emergency policy assessment
15042 no rule has been balanced
Evaluation of authorization policy
15006 set default mapping rule
15016 selected the authorization - DenyAccess profile
15039 selected authorization profile is DenyAccess
11003 returned RADIUS Access-Reject
Thank you
Christophe
I think you need to do is to create a sequence of identity with RSA as a selection in
Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service
-
We deploy VMware View with RSA Securid 7.1 5.1. We have a RSA and RSA 7.1 installed agent on the server and display the VM VDI and to challenge the value. The View Manager is configured to use RSA according to the doc.
We also use Cisco VXC 2111 zero clients (connected to the Cisco voip phone). The thin client connects and manages to authenticate with the password. However, the client also asked that the password and then passes the user on the desktop.
I can't find info on how to do to prevent it ask the password too. Any ideas?
EDIT: I discovered that the Cisco VXC 2111 running 4.6 View Client. I wonder if this is the problem?
I'll have to test it with a Wyse P20 and see if there is a difference.
1. with RSA SecurID authentication, find password guests once SecurID authentication is complete. The password is necessary in order to perform SSO to the virtual office. If the view does not request password, SSO is not possible and the user must sign - one for each virtual desktop in any case. SecurID represents an additional authentication at the beginning of the sequence.
2. you need not install the RSA Agent on view connection server. View has all that he needs to perform SecurID authentication against RSA Authentication manager.
3. it is a very old document you are referencing. It's to see 3.0. See here for the latest documentation for each version of the view. http://KB.VMware.com/kb/2003455
I hope this helps.
Select this option.
-
VMWare View with RSA SecurID integration
Hi all.
We try to make VMware View to authenticate users through RSA SecurID according to the attached document. However, it is not clear where to put the node Secret file that is generated on the RSA Authentication Manager server? It is exported in the form of .rec file and is protected by a password, but server configuration view has all fields to load the node secret file. Should I simply rename the securid .rec file and put in %SystemRoot%\System32\securid? But how to do View Server to decrypt this file by using the password then?
On the RSA server, I see in the newspapers:
2010-03-12 08:05:49U-
/viewservername.company.com-
12/03/2010 03:05:49U verification of node doesn't have a rsa - ace - server.company.com
RSA doc says
"An incompatibility between the secret of node stored on an authentication manager and subsequently stored on an Agent Host may occur if you delete and re-create an Agent Host, or if you accidentally delete a secret file of the nodes. The incompatibility prevents messages between devices which is decrypted and causes the Agent Host deny access to all users who attempt to log on. Node of that check failed is recorded in the audit trail.
Hello
for me it is look like this attached image.
MCP, VCP
-
Cisco Firepower 4110 Clustering with ASA and DFT
Hi all
We have a pair of Cisco 4110 firepower devices and have them clustered for the ASA Security Module.
There seems to be no option to add an additional logical device for the threat of fire power defence Module, so can only assume this is not supported in an active/active state.
More on the SAA Module there is no tab of remote access VPN Configuration.
So my question is how to incorporate the functionality of defense threat in the ASA, I suppose that this would be by the engine unloading in the advanced settings, but requires the SAA be in Active mode / standby and the power of fire threat defense logical device will be available?
Second question is it would have been better buy the Cisco ASA 5585 X with the Module of firepower in support of all the regular features of the SAA as well as traffic inspection unloading to the module of firepower?
I found some documentation on the Cisco site, but tend to lose sight of where the reference to FTD and not be supported of the Clustering or RAS VPN not supported by ASA or FXOS docs, so I was hoping for some insight on here.
Appreciate any clarity around the support of devices 4110 of the firepower and configuration of the FTD and ASA combines the features supported.
We run ASA v9.6 (2) and FXOS 2.0.1 (86).
Thanks in advance.
Mark
On a firepower 4100 Series chassis, you can run a single logical unit. Several logical devices are supported only on the 9300 firepower that supports up to 3 modules of security.
So choosing between types of module ASA and DFT (or technically you can also deploy the RADware vDefense Pro but it is mainly for service providers).
One or the other and never the two.
The module of the SAA supports remote access VPN over 4110 of firepower. I put one in place personally nothing this month. Have you recorded the chassis with the smart licence and applied ASA licenses (basic an and 3DES / AES)?
The ASA modules take supported the HA and inter-chassis clustering on the 4100 series hardware.
If you run picture FTD, there is currently no support for remote access VPN. It is a high priority position of roadmap for a future version (post - 6.2). FTD does not currently support the chassis inter cluster but that should be in version 6.2.
-
Site to Site with ASA and FortiGate
I have setup a VPN site-to site between my ASA and FortiGate customers. The tunnel rises with success, but we can not pass traffic. When I do a packet capture on my ASA, I see traffic on the port of entry as usual, but on the output port, the source address gets NAT had I checked all statements of NAT, and there is a statement NAT exempted from the entry port to the port of exit and in the VPN configuration.
Then your oder of NAT statements in probably wrong. The dynamic NAT for outgoing traffic must be at the end (I put them always in article 3), while the Exemption must be at the beginning of Section 1.
Maybe you are looking for
-
"Hey Siri" does not not on iOS 10.0.1 on iPhone 7 more
Hello "Hey Siri" did not work on iOS 10.0.0 on my iPhone 7 more. When I say the command, the screen trying to move on the screen of Siri but then quickly goes back to where I was before, everything in a second. I did the software updated to 10.0.1 af
-
Why the arrow of 'hide ads' Yahoo email does not appear on Mozilla?
It does on Google Chrome. Contacted Yahoo about this and they suggested might be a Mozilla issue, and I'm tending to agree. It used to work perfectly. Is there a "fix" for this anywhere?
-
I'll set up a contact group, but some contacts refuse to be copied in the list of groups
I'll put up a group of contacts for our choir. I copied (drag / move) of the address book to the Group about 60 contacts but some garbage 'go' in the new group. Suggestions, please.
-
Impossible to navigate to and select the menu buttons during playback of DVD on TV
I use DVD Studio Pro 4.2.1 on iMac OS 10.6.8 (using old BONES of FCP 6.0.6). I have two DVD players for my TV and a Sony DVP-NS57P-GE GE1105P. For the video I created, I have two buttons on the main menu 1, 'Play' and 'Chapters' which goes to menu 2
-
How to close a pop-up open running in the new thread in Teststand without manual intervention?
Hello I'm keycycle in infinite while loop. There are two ways to break out of the loop 1. click on the 'OK' button on the pop-up that says "complete the event. The pop up is running in a new thread. 2 increase the value of the parameter "Reset_Count"