Double authentication using LDAP and RSA

I would use LDAP and RSA (double authentication) for my SSL VPN clients.  Can I authenticated users if my logon page requires users to enter a second username.  If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers.  I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.

If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.

Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?

Thanks in advance.

Matt

Hi Matt,

I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:

CSCte66568    Double authentication broken in 8.2.2 during use-primary-username is CONF.

If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.

HTH

Herbert

Tags: Cisco Security

Similar Questions

  • DAP using LDAP and attributes of Cisco

    I would like to be able to implement a strategy of dynamic access to the criteria that all the following conditions:

    Cisco.GroupPolicy = Sales

    ldap.memberOf = Remote_Access

    can have a specific set of access. My connection profile uses a Radius Server to authenticate and assign group policy.

    Is it possible to do this? Since then, it doesn't seem to work for me.

    Hi Luis,.

    If you want to use LDAP attributes in your strategy of DAP, you will need to use LDAP for authentication or authorization in your tunnel-group.

    Thus you will be either have to replace ray with ldap for authentication, OR keep radius for authentication and add ldap for authorization on top.

    HTH

    Herbert

  • Authentic group with and RSA - SIG authentic without Xauth

    Hello

    I want to migrate my VPN-users (customer dynamics) of the OTP token authentication to certificate-based authentication.

    For a while, I'll have two methods of authentication on a VPN-endpoint (PIX).

    For the Office of the Prosecutor, there are Xauth against an AAA server.

    Now I want my cert users are exempt from Xauth. There is no need for user separate authentic.

    See my review of configuration for later use.

    ===========================================================

    access list 101 ip allow a whole

    IP pool local VPNpool 192.168.0.0 - 192.168.0.50

    vpngroup address pool VPNpool VPNgp

    vpngroup idle 1800 rasadmin-time

    vpngroup password VPNpass rasadmin

    Crypto ipsec transform-set esp-3des esp-sha-hmac VPNts

    crypto dynamic-map client 5 101 correspondence address

    encryption dynamic-map client game 5 transform-set VPNts

    Dynamics-isakmp crypto map 1024 vpn ipsec client

    crypto GANYMEDE map vpn client authentication +.

    vpn outside crypto map interface

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    ISAKMP policy 20 authentication rsa - sig

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 chopping sha

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 86400

    ===========================================================

    How can I exclude Xauth rsa-GIS-users (authentication of the vpn client card crypto GANYMEDE +)?

    Only the Group authentication to authenticate with the user name and password in addition to the authentic pré-partagées.

    In my tests it seemed to me that Xauth can be enabled or disabled for all isakmp and VPN-groups policies.

    Or is it possible to deviate from the policy group, pool, or something else?

    I use 6.3 (4) PIX and latest CISCO VPN Client.

    Thanks for your advice

    Stephan

    Unfortunately, as you have understood well enough already, XAuth is enabled at the global level, not by group. If you turn it on for some users, it gets turned on for all, no way around it.

  • Security using ldap and the RPD users

    Hello

    I need 5 dummy users in RPD. I don't want to give them adminstrator privileges because they are not allowed to see everything in my dashboard. My authentication works by using an LDAP server, is it possible that I can leave these fake users login as well as those on the LDAP server?

    I don't think it's possible to use the default Server BI and LDAP authentication. You can still have multiple LDAP servers for authentication. You can ask 5 service accounts to be created in the LDAP for OBIEE Protocol and assign privileges accordingly so they see only needed dashboards.

    Please allow the useful points,

    Thank you
    -Laurence.

  • BI Server uses LDAP and BI Publisher uses BI server auth - can this work?

    Hello

    I've set up OBI EE BI Server to use our MS Active Directory LDAP repository for authentication purpose. It works perfectly.

    On the other hand BI Publisher is configured to use the BI server authentication. I can see that groups XMLP * here, but obviously there are has no users defined in the BI server to add their!

    The reason why I want to use this configuration is that it's another Department who is responsible for the maintenance of the AD and it would make things easier if we could maintain access BI Publisher ourselves, through the BI tool admin server.

    Something tells me that's not possible, but I was wondering if there is any workaround or tip for this problem?

    Thank you
    Luis

    With ADSI, you cannot import users and groups. You then create an initialization of variable session with an external table:

    See an example here:
    http://obieeblog.WordPress.com/2009/06/18/OBIEE-security-enforcement-%E2%80%93-external-database-table-authorization/

    See you soon
    Nico

  • Authentication using IIS7 and CF10 ACC activation

    I am currently working on a web application written in CF running on IIS7 and CF10 server.  We must replace our login page where supply you our users username and password w / connection of the CCA.  Being goial for users to be invited to enter their number 6 PIN assciated w / their ACC to connect to the application rather than the user name and password thery are currently using.  If anyone has any suggestions on how to accomplish it would be much appreciated.

    The first step to be able to connect with a CAC is to ensure that the correct certificates are loaded on your web server.  If the right CERT is there and that the server can read the card, it will store the users first name name and a unique Userid out of the map at the end of the CGI.cert_subject variable.  We have added a field to our user database to save the number.  Then strip us the name and number of the CGI.cert_subject and compare it to the database.  But the key is getting right on your server certificates, require SSL and require (or accept) certificate on SSL parameters. In addition, you must disable anonymous authentication and enable windows authentication if you have need of everyone to connect.

    Hope that allows you you started, if not let me know and I can provide some of our code snippets.

  • UCS LDAP and Native authentication

    Hello

    We put the Native authentication for LDAP and UCS Manager connection to LDAP as well. We are able to connect to GUI & SSH using the LDAP account. But can not connect on the GUI using the local account (admin).

    If I change the Native authentication at the local level, we can connect to GUI via local account (admin), but can not connect to SSH via LDAP account.

    Missing something?

    Please let me know.

    / Rags

    Hello

    When you have changed the native auth to LDAP and use local account, are you prefixing the local username with the local domain auth?

    * From Linux / MAC machine

    SSH ucs -------@.

    SSH-l ucs -.

    SSH -l ucs -.

    * From client PuTTY

    Connect as: ucs -.

    NOTE the domain name is case-sensitive and must match the name field set up in UCSM.

    Try connecting with the name in domainsername and let us know the result.

    Padma

  • How to use 3DES and RAS

    Hi all I have need to write encryption and decryption using 3DES and RSA .can any please tell me how to write this.

    I thought that the examples given are clear enough.  For example, the method you gave

    Encrypt (plaintext byte [], int ciphertextOffset, int plaintextOffset, byte [] ciphertext)
    crypt encrypted just bytes of plaintext into ciphertext, from plaintextOffset put the bytes from ciphertextOffset.  Little about exactly what the JavaDoc says!

    If you do not understand how to use a specific encryption algorithm, then the code will be confusing.  In this case, I suggest that go you through the external documentation on these algorithms and they way they should be used, before looking at the code.  Search the internet, there is a lot of information on these algorithms out there.  And there is lot to understand, with the filling and the different approaches to block, which complicates the basic encryption code.  And it's just 3DES!

    But if you are struggling with a specific part of the code, please feel free to paste it here and ask about it.

    BTW, the code examples are related to each of the class pages, read the documentation at the beginning for the links.

  • ACS 5.2 - authentication user 802. 1 x and MSCHAPv2 using LDAP Source identity

    Hello community,

    I use the ACS 5.2 as the solution of authentication in my network. I configured two situations: access with network access policies and peripheral Administration.

    Currently, I have a few configured devices: 1 ASA (using RADIUS), WLC-5508 (using RADIUS) 1, 1 2960 S (with GANYMEDE +). And I set up an external identity store, using LDAP (I can see and select all groups without problem).

    Everything works fine. My next step was to configure users to use 802. 1 x to authenticate using ACS with my LDAP database.

    Assuming that all configurations are correct on all computers (when I use an internal database works very well), these are the following newspapers/configurations in the ACS:

    At this point, we can see the error:

    22043 current identity store does not support the authentication method; He jumps.
    Header 1
    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    Assess Service selection strategy

    15004 Matched rule

    Access Service - access Police selected 15012
    11507 extract EAP-response/identity
    12500 prepared EAP-request with EAP - TLS with challenge
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12301 extract EAP-response/NAK asking instead to use PEAP
    12300 prepared EAP-request with PEAP with challenge
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12302 extracted EAP-response containing PEAP challenge-response and accepting as negotiated PEAP
    12318 has successfully PEAP version 0
    12800 first extract TLS record; TLS handshake has begun.
    12805 extracted TLS ClientHello message.
    12806 prepared TLS ServerHello message.
    12807 prepared the TLS certificate message.
    12810 prepared TLS ServerDone message.
    prepared 12305 EAP-request another challenge PEAP
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12304 extract EAP-response containing PEAP stimulus / response
    12318 has successfully PEAP version 0
    12812 extracted TLS ClientKeyExchange message.
    12804 message retrieved over TLS.
    12801 prepared TLS ChangeCipherSpec message.
    12802 prepared TLS completed message.

    12816 TLS handshake succeeded.

    12310 full handshake PEAP completed successfully
    prepared 12305 EAP-request another challenge PEAP
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12304 extract EAP-response containing PEAP stimulus / response

    12313 PEAP inner method started

    11521 prepared EAP-request/identity for inner EAP method
    prepared 12305 EAP-request another challenge PEAP
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12304 extract EAP-response containing PEAP stimulus / response
    11522 extract EAP-Response/Identity for EAP method internal
    11806 prepared EAP-internal method call offering EAP-MSCHAP VERSION challenge
    prepared 12305 EAP-request another challenge PEAP
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12304 extract EAP-response containing PEAP stimulus / response
    11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated

    Evaluate the politics of identity

    15006 set default mapping rule

    15013 selected identity store-

    22043 current identity store does not support the authentication method; He jumps.
    22056 object was not found in the identity of the point of sale.
    22058 advanced option that is configured for a unknown user is used.
    22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.
    11815 inner EAP-MSCHAP VERSION authentication failed
    11520 prepared EAP-failure of the inner EAP method
    22028 authentication failed and advanced options are ignored.
    prepared 12305 EAP-request another challenge PEAP
    11006 returned Challenge RADIUS access
    Request for access received RADIUS 11001
    11018 RADIUS re - use an existing session
    12304 extract EAP-response containing PEAP stimulus / response

    Authentication PEAP 12307 failure

    11504 prepared EAP-failure

    11003 returned RADIUS Access-Reject

    So, what can be the cause? Compatibility with LDAP?

    Plinio,

    Watch this doc,

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889

    There is a table which indicates that LDAP is not a database compatible with our EAP type (MSCHAP VERSION-2).

    LDAP, you can use with TLS, PEAP-GTC, and EAP-FAST-GTC.

    TLS uses certificates on both sides, suplicant, and server authentication server.

    * GCT if I'm not mistaken is a WBS system to use with the EAP protocol.

    Authentication Protocol EAP compatibility of database user and table B-5

    Identity store
    EAP - MD5
    PEAP-EAP-MSCHAPv2
    EAP-FAST MSCHAPv2
    PEAP-GTC
    EAP-FAST-GTC

    ACS

    Yes

    Yes2

    Yes

    Yes

    Yes

    Yes

    Windows AD

    NO.

    Yes

    Yes

    Yes

    Yes

    Yes

    LDAP

    NO.

    Yes

    NO.

    NO.

    Yes

    Yes

    RSA identity store

    NO.

    NO.

    NO.

    NO.

    Yes

    Yes

    Identity of DEPARTMENT store

    NO.

    NO.

    NO.

    NO.

    Yes

    Yes

  • is it possible to use two external LDAP and authentication of external Table?

    Hi, is it possible to use both external LDAP and authentication of the external table?

    they all need two initialization blocks to access a session system variable, USER?

    Thank you

    Hello
    I don't think it's possible to impliment the LDAP authentication both extenal together. The reasons are,
    1. we cannot define two sources (LDAP and Extenal DB) in the same blocks of justine initialization user information.
    2. If two different (one for LDAP) initialization blocks and one for extenal DB are used, we cannot use variable USER twice it's a defined system variable.

    Thank you
    Swami

  • Cisco ACS 5.1 and RSA Authentication Manager 6.1

    Hi all

    We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

    Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

    I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

    I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

    Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

    Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

    Hoping that you guys help me as usual when I'm in a hurry...

    Sree

    Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

    If you go to

    Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

  • ACS 5.3 use LDAP. for one SSID and use IS HOST. for a different SSID

    I have 2 SSID on WLCs

    I wish I had 1 point SSID to the radius of the acs using LDAP store and the 2nd point SSID to the radius of the acs using identity store of the host for mac filtering.

    both scenarios are working, but not all.

    If I set the order of the rule I can get an SSID, but then the other fails.

    Authentication failed                                                                                 :

    22056 object was not found in the identity of the point of sale.

    Access matched Service selection rule:

    Rule-1

    Comparative political identity rule:

    Rule-1

    Some identity stores:

    RBLDAP

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity store-

    24031 sending request to the primary LDAP server

    24017 Looking up host in LDAP - 04-xx-xx-xx-xx-xx Server

    24009 host not found in the LDAP server

    22056 object was not found in the identity of the point of sale.

    22058 advanced option that is configured for a unknown user is used.

    22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.

    11003 returned RADIUS Access-Reject

    If I move the mac add rule before the rule of ldap, but then the ldap authentication fails

    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    11027 detected host Lookup UseCase (Service-Type = check call (10))

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - MAC filter network access service

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - internal hosts

    24209 Looking internal host IDStore host - 04-xx-xx-xx-xx-xx

    24211 found internal host IDStore host

    Authentication 22037 spent

    I tried to install the following without result.

    It seems to me that there should be a simple process to do what happens. I thought that if the rule does not match it would be to move on to the next rule etc...

    I might be able to live with the first ldap control and if it does not pass to the db of the local host, but seemingly ineffective.

    https://supportforums.Cisco.com/thread/2133704

    You can create a sequence of identity store so that if the end point is not present in the ldap database, then it can check its database of the local host.

    Or you can create a condition in your selection of service such as if rule called-station-id ends with (AIDS) then you can have it match the rule that uses the appropriate rule pointing to ldap, another rule when called-station-id ends with (ssidB) match the rule that points to the rule that uses the database of the local host.

    Here is the section on the configuration of the sequence of identity store, don't forget to select continue if user not found.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_sys...

    Thank you

    Sent by Cisco Support technique iPad App

  • VCSC & VCSE: device/user using LDAP authentication

    Hi all

    I configured the VCSC and VCSE for device authentication and the user using LDAP. The issue that I face is my Zone of course does not have connection to VCSE. I am sure that my LDAP works very well because everything works perfectyle (authentication of users, for example) with the exception of this. Status I got STRANDED on the page of the area traversed in VCS C.

    Has anyone encountered the same problem?

    It's not a problem, it's the behaviour, as the crossing area also uses authentication, then

    It will not use the local db but using your ldap server.

    You create an additional account with the user name used on the VCS that reflects the

    SIPIdentityUserName / h235IdentityEndpointID and the password as well.

    Works very well for us.

  • For Cloud SGD LDAP authentication for users and administrators

    Hello.

    I recently completed the installation of my new cloud of SGD 12.1.0.3 on Linux 6.4 (on a virtual machine).

    My question is if it is possible (and how) to enable authentication for new administrator SGD through LDAP accounts?

    We have already our VM hosts configured to allow LDAP authentication to theirs, but how to configure WHO to enable LDAP authentication even as users of server?  Because users are in LDAP, they do not have a local account on the servers, and we do not necessarily want users of WHO in order to connect the servers anyway.

    One of the objectives to use LDAP is that we want to allow users to have only to change their domain/LDAP password and everything else is updated.

    I see that when an account is created in the OMS, the user is created in the repository of OMS database.  I really want to restrict not know them to log directly in the database, but do how this is possible.  Can we still use pupbld for this?  Probably not...

    I read the book below the Oracle documentation, but it is for SGD 11.1 and I'm under 12.1.

    But the same year, he was not very descriptive about how to set up.

    It sounds almost as if you had to take the decision to use LDAP for the installation of beginning of WHO.

    I hope not, and I do not remember that as an option that I have installed the SGD.

    Configuration of Oracle Enterprise repository to use external authentication tools - 11 g Release 1 (11.1.1.7)

    Yes, you can still integrate with LDAP.   Please see the documentation here

    http://docs.Oracle.com/CD/E24628_01/doc.121/e36415/sec_features.htm#CJAGHGAH

    EM use WLS for authentication, so everything that is supported by this version of WLS will work.  Documentation received instructions for OAM/OID/HAD and Active Directory are specified.

    Users can be changed to type external if they are already created in the repository with the appropriate connection name.   Otherwise, new users can be created.

    Also be sure to examine the external roles option, which allows you to map a LDAP group to an external role in EM by using the same name and automatically assigning the privileges required by this group.

  • Site ads continue to use the proxy settings and I get the message "Authentication required" time and time again. I have stop advertisements to use my proxy settings?

    I have put my school proxy settings and use them very often. On some Web sites, ads continue to use these proxy settings (probably to show me ads based on my preferences or I don't know), and I get the message "Authentication required" time and time again before the end of the loading page. It's annoying because if I have several tabs open and am currently on another page while loading the website with the ads, I'm brought back to this page to authenticate. Can I get asked 3 times to authenticate while this page loads, and it takes forever to load because of this. I don't want to disable my proxy settings because I use it very often. I tried to uncheck the "Accept cookies from Web sites" and nothing happens, it's always the same. I want these ads to stop going through my proxy settings. How do I do that?

    Hello

    You can try the add-on Adblock Plus . In addition to subscriptions, you can manually add URL patterns or click on an ad to add a filter.

    Support

Maybe you are looking for