Using RSA SecurID authentication
Hello
I'm trying to secure the access, the use of RSA SecurID for the following 2 scenarios:
SSH/telnet/console to any Cisco device (router, Switch, Firewall)
-Users of SSL VPN
Is it possible to do this integration directly between the Cisco device and the RSA SecurID itself? Or it is necessary to have GBA between the two? \
Thank you
Justine.
With the switches/AP/router only radius and Ganymede are supported you can configure IOS devices for the radius Protocol and the server as a token of RADIUS server.
http://www.Cisco.com/c/en/us/TD/docs/iOS/12_2/security/configuration/GUI...
ASA only supports SDI Protocol, so you can integrate the RSA securID directly with her.
SDI on SAA
http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...
SDI with ACS
http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...
You can read the discussion on the similar requirement.
https://supportforums.Cisco.com/discussion/11259716/RSA-SecurID
~ BR
Jousset
* Does the rate of useful messages *.
Tags: Cisco Security
Similar Questions
-
View 5.1 with RSA Securid 7.1
We deploy VMware View with RSA Securid 7.1 5.1. We have a RSA and RSA 7.1 installed agent on the server and display the VM VDI and to challenge the value. The View Manager is configured to use RSA according to the doc.
We also use Cisco VXC 2111 zero clients (connected to the Cisco voip phone). The thin client connects and manages to authenticate with the password. However, the client also asked that the password and then passes the user on the desktop.
I can't find info on how to do to prevent it ask the password too. Any ideas?
EDIT: I discovered that the Cisco VXC 2111 running 4.6 View Client. I wonder if this is the problem?
I'll have to test it with a Wyse P20 and see if there is a difference.
1. with RSA SecurID authentication, find password guests once SecurID authentication is complete. The password is necessary in order to perform SSO to the virtual office. If the view does not request password, SSO is not possible and the user must sign - one for each virtual desktop in any case. SecurID represents an additional authentication at the beginning of the sequence.
2. you need not install the RSA Agent on view connection server. View has all that he needs to perform SecurID authentication against RSA Authentication manager.
3. it is a very old document you are referencing. It's to see 3.0. See here for the latest documentation for each version of the view. http://KB.VMware.com/kb/2003455
I hope this helps.
Select this option.
-
Anyone who has used RSA Securid token to connect to the Cisco routers, switches and firewalls to manage. He even supported on Cisco devices? I speak NOT of the VPN access.
Any help will be greatly appreciated.
Thank you
Lake
Yes, I have. On the router and switches that you authenticate directly to the RSA server, it goes through an intermediary, such as Cisco ACS.
-
Access through RSA SecurID w / RADIUS ASA
Hello
I'm trying to configure AAA to access our ASA box. I have an RSA SecurID appliance with the operation of Steel Belted Radius. I have implemented access SSH and telnet without any problem.
However, when I try to access it via HTTP or with the ASDM, it will not authenticate. I enabled http server and added the appropriate commands, but what actually happens is when I try to log on by HTTP, it sends 2 RADIUS, 1 queries immediately after the other. So one gets accepted, 2nd gets rejected. I think it's because you cannot authenticate twice with the same token on the RSA code, so why the 2nd request is rejected. But he should not be sent 2 requests in the first place.
This does not happen through SSH.
I have attached a log from the flow of connection through the FW...
Any help is greatly appreciated!
Hello
ASDM will not work with Server Token RSA generated passwords. Generated by the Token RSA server past are one time only use. They expire after the first use. ASDM uses Java that caches of authentication once connected at the start. For all transactions http subsequent of the ASDM, uses Java caching of authentication information when communicating with the device. Each action of ASDM to the device is a transaction independent http involving any SSL handshake, but that Java uses cached authentication information users do not have to re-enter it.
ASDM works only if the configured authentication mechanism uses persistent passwords. Unique PASSWORD mechanisms do not work with the ASSISTANT Deputy Ministers.
Try to test http authentication with a user account local on the Radius Server and verify the results.
I hope this helps.
Soumya
-
VMWare View with RSA SecurID integration
Hi all.
We try to make VMware View to authenticate users through RSA SecurID according to the attached document. However, it is not clear where to put the node Secret file that is generated on the RSA Authentication Manager server? It is exported in the form of .rec file and is protected by a password, but server configuration view has all fields to load the node secret file. Should I simply rename the securid .rec file and put in %SystemRoot%\System32\securid? But how to do View Server to decrypt this file by using the password then?
On the RSA server, I see in the newspapers:
2010-03-12 08:05:49U-
/viewservername.company.com-
12/03/2010 03:05:49U verification of node doesn't have a rsa - ace - server.company.com
RSA doc says
"An incompatibility between the secret of node stored on an authentication manager and subsequently stored on an Agent Host may occur if you delete and re-create an Agent Host, or if you accidentally delete a secret file of the nodes. The incompatibility prevents messages between devices which is decrypted and causes the Agent Host deny access to all users who attempt to log on. Node of that check failed is recorded in the audit trail.
Hello
for me it is look like this attached image.
MCP, VCP
-
Cisco ACS 1113 appliance v4.1 - integration of RSA Securid v6.1
The Windows of Cisco ACS version seems to have the ability of integration with RSA Securid its listed in external databases. It can also support the SDI Protocol if you install the agent on the Windows ACS platform. I need to use a Cisco ACS 1113 but RSA Securid does not appear in the section external databases. This mean that I won't be able to use the SDI Protocol only available RADIUS.
And Yes you are right,
With ACS, we need to configure using RADIUS, on ACS SE it won't work with SDI.
Kind regards
Prem
-
Hello
I have a question about Cisco AnyConnect and RSA SecurID.
I need to define users to groups in the RSA SecurID server.
When I try to create a profile and a group of tunnel and then authenticate with the server RSA I just see the user name.
Successful AAA user authentication: server = 10.210.x.x: user = test
I need the group name(for authorization) with name tunnel user to send to the RSA server.
Successful AAA user authentication: server = 10.210.x.x: Group = tunnel: user = test
There are good documents on this subject?
You can create groups for some external user databases maps based on the combination of the external user database groups to which users belong. The following types of data are the types of database external user for which you can create group maps based on membership in a group together:
Windows domains.
Generic Lightweight Directory Access Protocol (LDAP).
The following URL can help you in the group mapping configuration:
-
Using PEAP get "authentication failed" in the event log
I'm trying to set up a server RADIUS and PEAP on a CISCO ARI-AP1242AG-A-K9 and I get an authentication failure message in the event log.
First of all, I see 10.209.128.61:1645, 1646 RADIUS server does not respond.
Then I see 10.209.128.61:1645, 1646 RADIUS server is back.
Then, I get the message "failure of authentication
station. The association tab shows the status of the client as 'treatment of the association.
Customers are a Flint MX-560 and a windows XP SP2 laptop HP with a intel PRO/Wireless 3945ABG Network card internal.
I was able to get the Flint to work using JUMP, but no luck at all either with the PEAP Protocol.
Can someone help me?
Thank you!
PEAP allows to authenticate wireless users without requiring that they have USER certificates, but we still need a ROOT certificate.
Here are some more specific details on PEAP:
... 'the protected '.
Extensible Authentication Protocol (PEAP) Version 2, which provides
a tunnel encrypted and authenticated, based on the transport layer
Security (TLS) that encapsulates the EAP authentication mechanisms.
PEAPv2 uses TLS security to protect against rogue authenticators, to protect
against various attacks on confidentiality and the integrity of the method internal EAP Exchange and provide the EAP peer for the protection of privacy. »
"In negotiating TLS, the server presents a certificate of.
the peer. The peer MUST verify the validity of the EAP server
certificate and SHOULD also consider the name of the EAP server presented in
the certificate to determine if the EAP server can be
of trust. »
http://Tools.ietf.org/ID/draft-josefsson-PPPEXT-EAP-TLS-EAP-10.txt
•PEAP uses the side authentication server of digital certification PKI public key Infrastructure-based.
•PEAP uses TLS to encrypt all sensitive user authentication information.
http://www.Cisco.com/en/us/docs/wireless/technology/PEAP/technical/reference/PEAP_D.html#wp998638
-
3000 VPN concentrator using ospf md5 authentication failed
Hi all
I just tested ospf with a 3005 VPN connected with a cisco router using ospf md5 authentication, but fail. Cisco router, I can see neighbouring State ospf is "INIT", but can not see any connection VPN 3005, physical connection is good, ping can be reached between them. I tried the command "ip ospf authentication message-digest & ip ospf authentication-key ' and"ip ospf message-digest-key"command in the router the password is the same in both sides and the md5 id has been set. But when I use simple authentication or disable authentication that the neighbor relationship can ride. Any body met this case before? Thank you!
Best regards
Teru Lei
Hello
This is a known bug, I also met this before: CSCef38044
It is not possible to accumulate OSPF with newer versions of IOS, on which they'RE ability is enabled using MD5 hash neighborship. They'RE capa is activated somewhere of 12.2 T. This behavior can be found on CVPN 4.1.5 and above whose 4.7 also.
I tested it with several IOS and OS CVPN - same result. The symptom: router ospf neighborship remains in the State INIT/DROTHER.
Workaround is to configure the router:
router ospf 1
No they're ability
This will solve your problem.
Attila Suba
-
Impossible to 'Use Windows logon authentication' in the client vSphere web 6
Hello
Since the upgrade to 6U1 5.5 vSphere, the "Use Windows logon authentication" box will not turn on. I installed the integration tools and tried both, the latest version of Chrome and IE 11. Someone managed to use this?
Thank you.
Hi Tim,.
Please try the latest version of the ICU. The download is referenced in William Lam here blog:
Andreas
-
Is it possible to have a secure FTP connection using private key authentication?
Is it possible to have a secure FTP connection using private key authentication to connect to a folder on Business Catalyst?
Hello
Not available at this stage that the only options are in the article to Setup SFTP.
- http://helpx.adobe.com/business-catalyst/partner/connecting-site-using-ftp-client.html
Kind regards
-Sidney
-
SSO with WebVPN ASA using RSA tokens
Current configuration:
Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager.
I've got of authentication works great, at the first connection, users can connect with their AD usernames and RSA tokens and generate his pin code.
We used to use ACS express and their advertising information for vpn authentication, but now we have to two factors of authentication.
Is it possible to some how to maintain SSO so that when the user authenticates via its RSA token they can always browse through OWA, Sharepoint, CIFS (file share) without having to enter their credentials for the AD?
Any help or information is much appreciated.
Thank you
You can activate the field "internal password" on the customization of WebVPN and also re-name-the ("Password AD" for example) and then configure the entries in the auto-code of access for internal URLS on NTLM. Such that when the guest servers the WebVPN session will send the user name used to connect to the ASA but send the internal password captured during the connection instead of the password used to connect to the WebVPN himself.
The only problem I saw during the test, there is no seam to be a graceful way to establishing a password incorrect or missing, then NTLM would fail and fall back basic over ssl. Finally it would block the AD accounts based on URL how much the user has tried when the password entered when the connection is bad or missing (because it failed to connect to the WebVPN).
-
LOCAL + RSA VPN authentication?
Hi... we have a customer using an ASA 5520 8.2 (2) for VPN (webvpn) connections. Currently, they use the user/pass configured locally for authentication (it's a default, there is no explicit LOCAL configuration).
They would use their RSA security device, but not for all users at once. Is it possible to use the local database and RSA as points of authentication, i.e. If there is no configured local user name, try the RSA (or vice versa)?
Thank you
Jim
The ASA can do that natively the emergency authentication being quite limited on the SAA. Two possibilities are there to solve this:
(1) use an external server which can chain these authentication stores (ACS or ISE may be used). But it is a rather expensive solution.
(2) build more tunnel-groups with different authentication settings and ask your users to use a particular.Sent by Cisco Support technique iPad App
-
Authentic group with and RSA - SIG authentic without Xauth
Hello
I want to migrate my VPN-users (customer dynamics) of the OTP token authentication to certificate-based authentication.
For a while, I'll have two methods of authentication on a VPN-endpoint (PIX).
For the Office of the Prosecutor, there are Xauth against an AAA server.
Now I want my cert users are exempt from Xauth. There is no need for user separate authentic.
See my review of configuration for later use.
===========================================================
access list 101 ip allow a whole
IP pool local VPNpool 192.168.0.0 - 192.168.0.50
vpngroup address pool VPNpool VPNgp
vpngroup idle 1800 rasadmin-time
vpngroup password VPNpass rasadmin
Crypto ipsec transform-set esp-3des esp-sha-hmac VPNts
crypto dynamic-map client 5 101 correspondence address
encryption dynamic-map client game 5 transform-set VPNts
Dynamics-isakmp crypto map 1024 vpn ipsec client
crypto GANYMEDE map vpn client authentication +.
vpn outside crypto map interface
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
ISAKMP policy 20 authentication rsa - sig
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
===========================================================
How can I exclude Xauth rsa-GIS-users (authentication of the vpn client card crypto GANYMEDE +)?
Only the Group authentication to authenticate with the user name and password in addition to the authentic pré-partagées.
In my tests it seemed to me that Xauth can be enabled or disabled for all isakmp and VPN-groups policies.
Or is it possible to deviate from the policy group, pool, or something else?
I use 6.3 (4) PIX and latest CISCO VPN Client.
Thanks for your advice
Stephan
Unfortunately, as you have understood well enough already, XAuth is enabled at the global level, not by group. If you turn it on for some users, it gets turned on for all, no way around it.
-
I'm trying to sign in on a MacAir iCloud I used constantly for several years. I enabled two-factor authentication, and my iPhone (where I get my verification code) shows my Mac Air are hundreds of miles away from its actual location. Do I always allow to sign or is something else wrong?
Where is your Macbook Air show its location?
Maybe you are looking for
-
Alphabetical sorting of notes on the iPhone 5 with IOS 9.3
Notes of sorting in alphabetical order is possible on an iPhone 5?
-
IPad2 can jump from apps, return to the home screen
IPad2 keeps jumping by apps to return to the home screen. Have tried the suggestions and have visited Apple Store twice without success. Still do!
-
The VRAM/GPU may be improved/changed on my iMac?
I have an iMac 27 "i5 2.7 Ghz 4 GB ram 1 TB of storage and an AMD Radeon HD 6770 M with 512 MB of VRAM mid 2011. I know that Aries is easily extensible and I intend to upgrade. But I want to upgrade the 512 MB at least 1 GB of VRAM weeny. Is it possi
-
Why not rip Media Player or burning a CD?
I was burning CD regularly and then suddenly it stopped. I'll put in a blank CD, click on burn and it will appear to burn but then it says there was an error in the CD burning or a mistake in the engraving of the song and it ruins my CD. I don't know
-
memory HP pavilion p6310y is the correct type
http://www.Newegg.com/product/product.aspx?item=N82E16820145345&nm_mc=EMC-IGNEFL060713&cm_mmc=EMC-IG... PLEASE HELP US LONE B4 IS SALE ON