VI and RSA authentication client

Similar Questions

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

  / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

  Hello

  I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

  I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

  I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

  Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

  Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

  Default: refuse

  In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

  But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

  My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

  The stages of monitoring:

  Measures

  Request for access received RADIUS 11001

  11017 RADIUS creates a new session

  Assess Service selection strategy

  15004 Matched rule

  Access to Selected 15012 - NetOp/NetAdm service policy

  Evaluate the politics of identity

  15004 Matched rule

  15013 selected identity Store - server RSA

  24500 Authenticating user on the server's RSA SecurID.

  24501 a session is established with the server's RSA SecurID.

  24506 check successful operation code

  24505 user authentication succeeded.

  24553 user record has been cached

  24502 with RSA SecurID Server session is closed

  Authentication 22037 spent

  22023 proceed to the recovery of the attribute

  24628 user cache not enabled in the configuration of the RADIUS identity token store.

  Identity sequence 22016 completed an iteration of the IDStores

  Evaluate the strategy of group mapping

  15006 set default mapping rule

  Authorization of emergency policy assessment

  15042 no rule has been balanced

  Evaluation of authorization policy

  15006 set default mapping rule

  15016 selected the authorization - DenyAccess profile

  15039 selected authorization profile is DenyAccess

  11003 returned RADIUS Access-Reject

  Thank you

  Christophe

  I think you need to do is to create a sequence of identity with RSA as a selection in

  Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

• Double authentication using LDAP and RSA

  I would use LDAP and RSA (double authentication) for my SSL VPN clients.  Can I authenticated users if my logon page requires users to enter a second username.  If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers.  I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.

  If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.

  Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?

  Thanks in advance.

  Matt

  Hi Matt,

  I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:

  CSCte66568    Double authentication broken in 8.2.2 during use-primary-username is CONF.

  If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.

  HTH

  Herbert

• Next issue known token of RSA - Horizon Client for Mac - problem/Bug?

  Scenario:

  VMware View 5.3.5

  View Client that connects to a server in a DMZ security

  Security server is associated with a connection to the server and the connection to the server is in the local private network with the device of the RSA authentication

  Running VMware View Client for Mac version 3.5.2:

  * RSA policy is that 3 chess requires the "next necessary token code" at the next logon

  * The user tries to authenticate 3 times using an invalid RSA code

  * User tries to connect to the fourth opportunity with a valid RSA code

  As expected, the RSA authentication requires the next Token Code. View Client presents the dialog box asking the user to wait for the next token code

  However - any value is given in this box, the proceed button is grayed (disabled). There is no way to go forward with or without the next token code. Only the button CANCEL is made available.

  Is this a known issue with the customer?

  Thank you

  I just wanted to update that I got it to work.  We are on the Horizon to display 7 on the backend and it seems that this user has downloaded an earlier version of the Client VMware Horizon.  I don't know about the version feature cross-as you say you execute view 5.3.5 but switch to version 4.0 (release 16/06/16) fixed the problem for me.

• MS RADIUS and Cisco VPN client

  We currently have with a Server Windows RAS and IAS authentication with PPTP to users.

  I want to move a hub (we have two not used) and the use of the Cisco VPN client with IPSEC 3005, also using the RADIUS (IAS) in Windows to authenticate against Active Directory.

  I have a config to work for the client and it performs authentication, but I'm afraid that you can't configure IAS to work with IPSEC, unless you configure the policy for

  "Unencrypted authentication (PAP, SPAP).

  on the Authentication tab

  and

  "No encryption".

  on the encryption tab.

  Are encrypted with IPSEC credentials to establish the tunnel of the Cisco VPN client?

  For RADIUS PAP authentication, the user name is clear and the password is encrypted with the RADIUS shared secret.

  To maximize security, you would use GANYMEDE + or IPSec transport mode and isolated VLAN. But for most of us, strong passwords and physical security prevents the RADIUS PAP to a significant weakness.

• ASA and RSA SecurID

  Hello

  I have a question about Cisco AnyConnect and RSA SecurID.

  I need to define users to groups in the RSA SecurID server.

  When I try to create a profile and a group of tunnel and then authenticate with the server RSA I just see the user name.

  Successful AAA user authentication: server = 10.210.x.x: user = test

  I need the group name(for authorization) with name tunnel user to send to the RSA server.

  Successful AAA user authentication: server = 10.210.x.x: Group = tunnel: user = test

  There are good documents on this subject?

  You can create groups for some external user databases maps based on the combination of the external user database groups to which users belong. The following types of data are the types of database external user for which you can create group maps based on membership in a group together:

  Windows domains.

  Generic Lightweight Directory Access Protocol (LDAP).

  The following URL can help you in the group mapping configuration:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/user/guide/QG.html#wp940457

• RSA Authentication Manager 7.1

  We had a problem with RSA Authentication Manager 7.1 told me of RSA, is that:

  The features of VMware ESX 4.0 following are supported: cloning, physics-conversion virtual, Virtual to physical conversion advanced VMware infrastructure features such as Snapshots, VMotion, DRS, HA, and Consolidated Backup are not supported. RSA recommends that customers use the features built into the RSA Authentication Manager 7.1 for these types of services.

  Seems strange that VMotion, DRS and HA are not supported but the cloning and P2V is supported. Everyone had problems with the RSA and VMware?

  Mike

  Hi Mike,.

  In fact, there are other suppliers of applications that do not officially support these features. Most of the time, it's because they do not trust the suspension mechanism used when hot - move a virtual machine from one host to another. They consider that they can guarantee the integrity of the data in such situations.

  If you do not have much choice: either you follow the rules that will be supported, or you do not have and keep fingers crossed not not have any question.

  If all goes well, having more virtual servers in the world, many applications now come with no restrictions against VMotion and DRS.

  Concerning

  Franck

• Combination of certificate and anonymous authentication on a server not supported?

  Hello

  having certificates of authentication (name of user and password is DISABLED) and anonymous authentication turned

  on a server LCRM led to errors of application client-side open documents protected Anonymous auth.

  Earlier, as the name of user and password - auth is lit (in more cert and anonymous authentication).

  Anonymous-auth protected documents very well just open (withous any question on the credentials)

  Is this considered a bug?

  There will be a solution for this?

  Thank you

  Dilettanto

  Dilettanto

  I was able to reproduce the problem that you reported.  I don't know if this is a bug or not, although it seems that it might be.

  You must connect this issue with the Adobe technical support so he can deal with the necessary people.

  Concerning

  Steve

• Why my phone was telling me my copy of windows and not authentic after two years? I tried a system restore but it did not help

  Why my phone was telling me my copy of windows and not authentic after two years?

  I tried a system restore but it did not help

  Hello

  1. Windows you receive not genuine error?
  2. Did you do any software or hardware changes on your computer before the show?
   
  Follow the below mentioned article:
  Genuine Windows: Frequently asked questions:
  http://Windows.Microsoft.com/en-us/Windows/help/genuine/FAQ

• AnyConnect user using the user certificate authentication and LDAP authentication

  Hello

  I'm trying to implement the Anyconnect VPN for my office. Now, I want the user to authenticate the user certificate based (which is install user local system are we) CN value and LDAP authentication. A help how to achieve this requirement. We install Certificate ROOT and INTERMEDIATE Godaddy and even already installed ASA. Also, we have the user certificate installed on each system user to authenticate the user.

  Any help please.

  Hi subhasisdutta,

  This link will certainly help you with the configuration:

  http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

  Hope this info helps!

  Note If you help!

  -JP-

• Cisco and Checkpoint VPN clients on a single PC

  Hello

  I'm in the following fix:

  I had used customer Checkpoint SecuRemote 4.1 SP - 5 VPN in the past.

  Now, I have installed the Cisco VPN client version 4.0.4 on my PC to access IPSec VPN for the PIX in our headquarters.

  According to Cisco VPN release notes http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel404/404clnt.htm#wp1346340 , it should be possible to have clients both Cisco and Checkpoint VPN installed on the same machine.

  But I am not able to connect to my PIX, I receive the following error message:

  "Secure the complete VPN connection locally by the Client.

  Reason 403: failed to contact the security gateway. »

  When I'm looking for signs of PC control-> system-> hardware-> device Administration-> network cards, I can see Cisco Systems VPN Adapter disabled.

  After you activate manually, I always get the same error when you try to connect to the Cisco VPN client.

  After PC restart the Cisco VPN adapter is disabled later.

  I tried to uncheck Check Point SecuRemote form my Dial-up connection (bypassing CSCea31192 of bug, but the bug does not affect NAT - T connection which I use).

  I noticed the same situation on three different computers, one running Windows XP, both running Windows 2000.

  After uninstalling the client Checkpoint completely (including Windows registry manual removal), the Cisco VPN client works very well.

  It seems to me, therefore, that there is a profound mismatch between Cisco and Checkpoint VPN clients.

  Does anyone know of a workaround?

  Thank you

  Milan

  We had the same problem with some of our users who need to use the two clients to connect to customer sites.

  If I remember the cisco client does not start automatically, but the client of checkpoint 4.1 don't.

  We by-passed by deleting the registry entry point control that starts the client at startup. fwenc.exe is the entrance and it is in

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  After that make a shortcut to the executable file that is stored in the directory \bin to relevant checkpoint on the client (it is different from NT & 9 client x) and then only start when it is necessary.

  Hope that's a help

• Windows IPSEC and SSL VPN client on the same machine

  Matches (coexistence) installation of IPSEC and SSL vpn clients that are supported on the same computer, windows (XP and Win7)?

  As mentioned by Patricia and Jennifer (5 stars), you can install two clients on the same machine without any problem.

  The tricky part comes when you are trying to connect two clients at the same time, that's when you may encounter unexpected problems.

  However, if your intention is to install both clients and connect them individually and not at the same time, you'll be fine.

  If you have any other questions, please mark this question as answered and note all messages that you have found useful.

  Thank you.

  Portu.

  Post edited by: Javier Portuguez

• Install the MDW and the mobile client on the same platform

  Hi all

  We implement our 11g Oracle Database Server from Mobile environment and I was confused about something I read in the Release Notes (http://docs.oracle.com/cd/E22663_01/doc.11100/e22675.pdf).  In section 3.2 says 'do not install MDW and the mobile client on the same platform.'  Did mean really say 'platform' or does really do not install the MDW and the mobile client on the same device?  We are a store of Windows 100% - the mobile server is installed on a Windows Server machine, we plan to develop with Workbench Mobile database (GMD) on a Windows 7 desktop PC, and we intend to run the client mobile Windows 7 tablets. The Release Notes say that I can't do this?

  Yes - the way it is written is a bit confusing.    We will correct it in the next version of doc.    What we were trying to say, is do not install them on the same system.    Thank you for this comment.

  Kind regards

  Mike

• I can't import any type of video file in the sequence, it represents imports video and audio. Please help me I am unable to work and I have clients waiting!

  I can't import any type of video file in the sequence, it represents imports video and audio. Please help me I am unable to work and I have clients waiting!

  Wild guess: I forgot to patch source the video track.