Integration of RSA AD ASA

Similar Questions

• Cisco ACS 1113 appliance v4.1 - integration of RSA Securid v6.1

  The Windows of Cisco ACS version seems to have the ability of integration with RSA Securid its listed in external databases. It can also support the SDI Protocol if you install the agent on the Windows ACS platform. I need to use a Cisco ACS 1113 but RSA Securid does not appear in the section external databases. This mean that I won't be able to use the SDI Protocol only available RADIUS.

  And Yes you are right,

  With ACS, we need to configure using RADIUS, on ACS SE it won't work with SDI.

  Kind regards

  Prem

• Remote access VPN integration with RSA token

  Hello friends,

  I currently have an ASA 5520 9.0 focusing distance french authenticated VPN access a Radius of the ACS server. I also have a server ACS Ganymede + allowing to authenticate access to network devices (routers, switches, etc.). My Manager asked me to include a second level of authentication through RSA token´s. Question´s:

  How does it work?

  Can I use my ACS Ganymede + as a method of redundancy for authentication of the VPN´s in the case where my Radius server goes down?

  I can use my ACS server RADIUS as a method for redundancy for managing my network devices in the case of authentication my Ganymede + server goes down?

  In addition, the RSA token can be used to authenticate access to manage network devices?

  Any comments will be appreciated.

  Kind regards!

  RSA has built in the radius server and itself it can serve as a factor of two.

  using Token RSA server inside itself is two factor when you use a PIN and access code.

  Using of Ganymede + for VPN is not possible.

  Check with your administrator RSA for the integration steps.

  Is that you can directly integrate the ASA with RSA and integrate with RSA ACS as well.

  This way you have redundancy in the RSA server.

  http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

  http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...

  Rate if useful :)

  Knowledge sharing makes you immortal.

  Kind regards

  Ed

• Authentication RSA on ASA key error

  Hello

  I'm trying to authenticate cisco 851 on ASA 5520 with MS CA digital certificates. had this error:

  CRYPTO_PKI (make trustedCerts list) CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2

  CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable

  CRYPTO_PKI:check_key_usage: Not acceptable OID ExtendedKeyUsage found

  It seems that EKU (ExtendedKeyUsage) does not. You can try to disable the check of EKU by adding the following command under trustpoint config:

  ignore-ipsec-keyusage

• ACS 5.3 integration with RSA

  Hi people,

  I joined the ACS 5.3 to AD.

  Now, my next goal is to integrate with RSA ACS so that all my Cisco devices must use the username and password of the pub.

  The enable privilege level should come from the OTP Token RSA.

  Is it possible to do such a thing with ACS 5.3?

  If yes how can I do?

  Thank you

  Maury

  I think that may try to make a rule in politics of identity based on the attribute of Service in the dictionary GANYMEDE +.

  (this is not tested and based on my memory would need your checking)

  (1) create a condition custom attribute service GANYMEDE + dictionary

  Elements of strategy > Session Conditions > Custom

  Create: Dictionary: GANYMEDE +; Attribute: Service

  (2) use generally in identity politics Device Admin

  Access policies > access > default device Admin > identity

  SSelect a rule based

  Customize the condition function 1

  Create a rule for when the Service is to 'enable '. Select the source of identity as RSA in this case

• E-mail security. Attachment scanning of content filter

  Hi, is there a document where you could see what type of files can Email Security appliance look for a string? I would like to create an outgoing content filter that looks like "inside" the attachment of a string. I think that you can do in office and PDF documents but I'm not completely sure and also I do not know in what other types of files, you can search.

  The final step should be to find a string, 'Confidential' for example and if the mail is not encrypted drop. If there are 'confidential', string email should be encrypted, and this word might be inside the Word document.

  Is first possible?

  Thanks in advance

  Samuel

  There are almost 400 + file types that ESA can recognize and analyze. It is possible to find these strings in Office and PDF documents you have requested among other things.

  When you have found the string, you can take a number of actions as quarantine, encrypt, drop, etc. If you want an analysis above consider using the integration of RSA Data Loss Prevention in the DRY for detection more precise.

• Access to the external network when connected to the VPN

  I have a 5505 I successfully install an IPSEC connection to. It uses NT to Active Directory authentication to authenticate. After I log in, I can access everything on the remote network (internal). I can't access anything on the internet.

  Nothing behind the ASA can access internet, vpn clients that cannot come back on.

  Syslog messages show buiding vpn clients to the top and down the ICMP connections if they try to do a ping to the outside, but they are not answered.

  I know it's most likely a statement ACL or NAT that I am out of ideas?

  config attacched

  You have 2 options.

  Split tunneling, unencrypted access to internet.

  Public Internet on a stick, integrated internet traffic to ASA and back on.

  permit same-security-traffic intra-interface

  Global 1 interface (outside)

  NAT (outside) 1

• 4.2.0 Build update (124) Patch17 4.2.1 - ACS locked file

  I'm trying to upgrade ACS 4.2.0 to 4.2.1. When the Setup program tries to uninstall the current version of the ACS, it fails with the message "the CiscoSecure ACS file appears to be locked by another application"

  

  -ACS is installed on Win server 2003R2.

  -There is no anti-virus installed on the server

  -All application windows (Explorer,...) are closed

  -I'm the only user on this server

  Log - ACS files are reduced to 3 days History.

  ACS is integrated with RSA SecurID. Could be the cause? Should I uninstall RSA SecurID?

  Petr

  In my experience, we usually have this error due to the huge accumulation of logs in the ACS installation folder / installation directory.

  Please Remove or move all the files from the next ACS installation and then directory location try to upgrade again

  Once removed, we can recover these newspapers again.

  \CSAuth\Logs

  \CSRadius\Logs

  \CSTacacs\Logs

  \CSLog\Logs

  \CSMon\Logs

  \CSAdmin\Logs

  \CSDbsync\Logs

  Also, have we not ACS full logging in the value spent?

  Jatin kone
  -Does the rate of useful messages-

• Authentication Manager + GemPlus smart card reader

  Hi all!

  I was reading about View Manager Auth integration with RSA SecurID. I did some tests and worked like a charm.

  But what I could use solution gemplus smart card to authenticate users?

  Thank you.

  Best,

  Eduardo.

  If you found this information useful, please consider awarding points to 'Correct' or 'useful '.

  Hi Eduardo,

  VMware View supports RSA SecurID auth method. 2 factor.

  It also supports the opening of session of smart card on the desktop with SSO from the client to the office.

  There is an information guide to smart card on the vmware Web site explaining that: http://www.google.de/url?sa=t&source=web&ct=res&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.vmware.com%2Ffiles%2Fpdf%2Fview_cert_authentication.pdf&rct=j&q=SmartcardVMwareView + guide & ei = Vx75S6XuGMuLOOeNxZUM & usg = AFQjCNGqupwPpQBH34PP2mFe3zv1yIGIaw & sig2 = NHQsN1XjYLXgaXIx_5xqoA

  Kind regards

  Christoph

  Don't forget to assign points if this answer was helpful for you.

  Blog:

  http://Communities.VMware.com/blogs/Dommermuth | http://www.thatsmyview.NET/

• ASA SHA256 integrity for proposal of IPSEC IKEV2

  Hi team,

  I tried to configure SHA256 integrity for IPSEC IKEV2 and SHA256 proposal wasn't available, the version that we run is 9.0 (3). The model of the SAA is 5540 (Legacy). Could someone please help us identify if the same support in the firewall of the inheritance if we improve the IOS in 9.1 (6) as this is the last version available for the box.

  ASA(config-IPSec-Proposal) # integrity Protocol esp?

  Options/IPSec proposal mode controls:

  MD5 md5 hash value

  set null null of hash

  SHA-1 hash sha-1 game

  Thank you

  Vishnu

  Hay he...

  Book 3: Cisco ASA series VPN CLI Configuration Guide, 9.1 - IPSec and ISAKMP - creating a Configuration of Basic IPsec configuration -Note at the end of step 2:

  HA - 256... can also be used for the protection of the ESP integrity on the new platforms ASA (and not 5505, 5510, 5520, 5540 and 5550).

  Given that Cisco has announced the date of end of life for these older platforms

• Access through RSA SecurID w / RADIUS ASA

  Hello

  I'm trying to configure AAA to access our ASA box. I have an RSA SecurID appliance with the operation of Steel Belted Radius. I have implemented access SSH and telnet without any problem.

  However, when I try to access it via HTTP or with the ASDM, it will not authenticate. I enabled http server and added the appropriate commands, but what actually happens is when I try to log on by HTTP, it sends 2 RADIUS, 1 queries immediately after the other. So one gets accepted, 2nd gets rejected. I think it's because you cannot authenticate twice with the same token on the RSA code, so why the 2nd request is rejected. But he should not be sent 2 requests in the first place.

  This does not happen through SSH.

  I have attached a log from the flow of connection through the FW...

  Any help is greatly appreciated!

  Hello

  ASDM will not work with Server Token RSA generated passwords. Generated by the Token RSA server past are one time only use. They expire after the first use. ASDM uses Java that caches of authentication once connected at the start. For all transactions http subsequent of the ASDM, uses Java caching of authentication information when communicating with the device. Each action of ASDM to the device is a transaction independent http involving any SSL handshake, but that Java uses cached authentication information users do not have to re-enter it.

  ASDM works only if the configured authentication mechanism uses persistent passwords. Unique PASSWORD mechanisms do not work with the ASSISTANT Deputy Ministers.

  Try to test http authentication with a user account local on the Radius Server and verify the results.

  I hope this helps.

  Soumya

• ASA SSL VPN with RSA authentication

  All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

  Thank you

  Try this link

  http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

• SSO with WebVPN ASA using RSA tokens

  Current configuration:

  Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager.

  I've got of authentication works great, at the first connection, users can connect with their AD usernames and RSA tokens and generate his pin code.

  We used to use ACS express and their advertising information for vpn authentication, but now we have to two factors of authentication.

  Is it possible to some how to maintain SSO so that when the user authenticates via its RSA token they can always browse through OWA, Sharepoint, CIFS (file share) without having to enter their credentials for the AD?

  Any help or information is much appreciated.

  Thank you

  You can activate the field "internal password" on the customization of WebVPN and also re-name-the ("Password AD" for example) and then configure the entries in the auto-code of access for internal URLS on NTLM.  Such that when the guest servers the WebVPN session will send the user name used to connect to the ASA but send the internal password captured during the connection instead of the password used to connect to the WebVPN himself.

  The only problem I saw during the test, there is no seam to be a graceful way to establishing a password incorrect or missing, then NTLM would fail and fall back basic over ssl.   Finally it would block the AD accounts based on URL how much the user has tried when the password entered when the connection is bad or missing (because it failed to connect to the WebVPN).

• PIX, ASA, and RSA SecureID

  Hi all

  I replaced our old Pix 515 for a new ASA 5520.

  On the Pix (running ios 6.x) we have configured the pix to use an RSA SecurID appliance AAA server to authenticate remote VPN clients. To do this, we set up a group AAA using the radius Protocol. Now, for the SAA, I found documentation indicating that I need to create a group AAA that uses the SDI Protocol.

  Now my questions are

  (1) can I still use the RADIUS Protocol on the SAA is to authenticate with RSA SecureID, or what I have to use SDI?

  (2) if I have to use SDI does mean I also have to change the configuration on my RSA I used to authenticate users of the PIX?

  Kind regards

  Screech

  Hi little Duke

  (1) you can still use the RADIUS.

  (2) Yes, you would need to allow auth requests come from ASA

  Roman

• ASA public 8.4 + key RSA for the SSH user authentication

  I saw in another post and the configuration guide in the community of support this key public RSA authentication is in favor of the SSH sessions at 8.4 and after.  I tried this implementation on an ASA 8.4 and a 9.1 ASA and I get the same error on both.  I tried specifying SSH version 2 to see if that is the question, but I still get the error.  Y at - there a step I'm missing?

  Here is the result of the configuration commands:

  ciscoasa (config) #username test nopassword privilege 15

  attributes of test #username ciscoasa (config)

  ciscoasa(config-username) # ssh publickey authentication

  ^

  ERROR: % name host not valid

  The above links:

  https://supportforums.Cisco.com/thread/2150480

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_aaa.html#wp1053558

  http://www.Cisco.com/en/us/docs/security/ASA/asa91/configuration/General/aaa_servers.html#wp1176050

  Thank you!

  My version is 8.4 (4).

  Tried to do it on another vith asa 9.1 and no luck.

  Fact a little research, and it turns out that this feature was launched in 8.4 (4) and not available for later versions.

  So, probably, your 8.4 is meadow (4) output and it was not available at the time and in your 9.1 is not available either)))

  Here is the document:

  http://www.Cisco.com/en/us/docs/security/ASA/roadmap/asa_new_features.html

  Take a look at the table 10.