Web authentication with RSA SecureID on a Cisco Switch
Hello
I recently searched by linking in our Cisco Switch of GB 2960 S with RSA SecureID via Radius
I already managed to tie in to ssh access
but I failed to make it work for http / web access to the switch
I think it's because we use 'single use' maximum security with RSA SecureID tokens
the web interface tries to authenticate several times against the Radius server RSA SecureID part
(agreement on the first authentication, but every time after that he's going to want a different code in token)
I was wondering if anyone knew a way around this? (if there is a way to get the right switch authenticate once instead of multiple times the radius server)
FYI, the switch is a WS-C2960S-24TS-L with IOS 15.0 (1) SE2
Hello Chris,
You can test the following configuration?
AAA webtac_grp radius server group
Server
expiration of cache 1
authorization cache profile httpauth
hiding authentication profile httpauth
!
AAA authentication login httpauth cache webtac_grp group webtac_grp
AAA authorization exec httpauth cache webtac_grp group webtac_grp
AAA authorization network httpauth cache webtac_grp group webtac_grp
AAA cache profile httpauth
all the
IP http server
IP http authentication aaa - authentication of the connection httpauth
IP http authentication aaa exec-authorization httpauth
RADIUS server host key *.
I know for sure the above configuration works when you use GANYMEDE + instead of RADIUS in order to avoid multiple guests due to the authentication of JAVA Applets to access the GUI of the IOS. I him have not tested against RSA acting as an authentication server.
NOTE: As "aaa authorization exec" is configured the RSA should send Service-Type attribute with administrative value for it to work as expected.
If this was helpful please note.
Kind regards.
Tags: Cisco Security
Similar Questions
-
double authentication with Cisco's VPN IPSEC client
Cisco VPN client (the legacy IPSEC client) does support dual authentication with RSA token AND ActiveDirectory credentials?
I know that AnyConnect supports it and the commandsecondary- authentication -Server- group' is only for ssl connections, but must be confirmed.
Kind regards
Mohammad
Hi Mohammad,.
What is double authentication support for Cisco VPN Client?
A. No. Double authentication only is not supported on the Cisco VPN Client.
You can find more information on the customer Cisco VPN here.
As you said the only client that supports dual authentication is the Cisco AnyConnect secure mobility Client.
Please note and mark it as correct this Post!
Let me know if there are still questions about it!
David Castro,
-
How to configure IKE with RSA without this Protocol between 1760 and PIX501?
Hello
I have a question about authentication with RSA - SIG IKE between 1760 router and PIX501 without AC.
.
I found a URL between routers, but not for PIX. do I need third-party CA (public or internal) in the PIX?
http://www.Cisco.com/warp/public/707/18.html
.
Please correct me if I am wrong or the return URL.
.
Thank you
RSA - enc is available for IOS routers, PIX will support certificate or key pré-partagées, you might want to look at this example with a MS CA:
http://www.Cisco.com/warp/public/707/lan_to_lan_ipsec_pix_rtr_cert.html
-
Hi all
I replaced our old Pix 515 for a new ASA 5520.
On the Pix (running ios 6.x) we have configured the pix to use an RSA SecurID appliance AAA server to authenticate remote VPN clients. To do this, we set up a group AAA using the radius Protocol. Now, for the SAA, I found documentation indicating that I need to create a group AAA that uses the SDI Protocol.
Now my questions are
(1) can I still use the RADIUS Protocol on the SAA is to authenticate with RSA SecureID, or what I have to use SDI?
(2) if I have to use SDI does mean I also have to change the configuration on my RSA I used to authenticate users of the PIX?
Kind regards
Screech
Hi little Duke
(1) you can still use the RADIUS.
(2) Yes, you would need to allow auth requests come from ASA
Roman
-
Help with M6348 connecting to a Cisco network
Hello
Can someone help me with best practices by putting R710 via a M6348 stacked with a cisco network.
Our configuration is the following
M1000e
2 x 1 GB pass-through fabric a
2 x M6348 wired in a pile in the B fabric
6 x popular R710 with four NIC ports in the fabric B (3 are general purpose servers, 3 are Hyper-V servers in a cluster)
Cisco network
For most of the Cisco 3560 switches
20 VLAN (1 per building) configured, mainly for the isolation of traffic (VLAN 300-320)
What (I think) that we want to
The M6348 connect to the core network in a SHIFT (4 x 1 GB ports. Can it be divided 2 ports each of the stacked M6348?)
Have a mapping of right for 1-3 to VLAN 301 R710
Configure R710 4-6 for access to all VLANS for the Hyper-V hosts can be placed on the VLAN correct
Use the fabric for the connection to the San
Network management is carried out by a third party (we are unable to change this) and they claim that they are unable to connect Cisco/Dell!
We are server guys, guys network no, so something stupid (especially for Cisco to give to our management company) would be appreciated.
We tried to configure the switches in Simple mode, using a Dell deployment guide, but all we seem to get is the default VLAN to all ports on the switch 1 battery, but no other VLAN and no active port 2 in the stack.
I've probably missed lost info on and were not very clear, so if more info is needed, please get back to me.
Thanks in advance for the help
Rich
Thanks for the information updated, actually, this confirms that the problem is with the connection to the Cisco switch. Is that what we tried a general link, instead of trunk?
mode console # switchport general
Console # switchport General allowed vlan add 300-320 tag
Console # pvid General switchport 301
Console # end
Are we sure that the VLAN 301 IP address is 10.49.56.0? This doesn't seem fair.
When we try to pings on the trunk/General connection to the Cisco switch, make sure you that the servers have the default gateway defined on the VLAN IP address they are in access mode. Thus, when in the access mode VLAN 301 the gateway server would need to be 10.49.56.0. I would like to verify that the IP address, however.
-
WLC (foreign-anchor), problem with external web authentication-> ISE
Hello guys
I am designing a platform for a network of comments, which must be isolated from the LAN, the following facilities:
- ISE 1.2 (SNS-3415-K9 Cisco)
- WLC 7.0.230.0 (Cisco 5508 controller)---> foreign wlc
- WLC 7.0.230.0 (Cisco 5508 controller)---> wlc anchor.
The PAES tunnel between wlc is successfully completed.
The wireless client gets the IP address of the anchor wlc (DHCP server).
Test 1:
I have set up the ANCHOR WLC with local web authentication (internal), the wireless client is authenticated by WLC and successfully navigate.
Test 2:
Configure the authentication web external anchor (ISE) WLC. Configure a user to the portal comments ISE.
The wireless client gets the IP address of the anchor wlc (DHCP server), attempting to engage not display comments portal.
Debugging a wireless client, try to connect to the guest network is attached.
That's right... they have a version of code required minimum supported for this.
Thank you
Scott
Help others using the system of rating and marking answers questions like "answered."
-
Web authentication passthrough with input from the e-mail
Is it possible to use a custom login.html page when web auth/passthrough is used with the input of the email? I have a requirement to have just the users to register with an e-mail address and I need to provide a custom page.
I receive custom login pages, but I can't figure out how to make a customized with only e-mail login.html page entry.
Any help is appreciated.
Thank you
Kurt
You should also check wireless downloads. In the area where you can find the code of the controller to download, you can also find a 'Wireless LAN Controller Web authentication Bundle' containing several samples of html, including e-mail data.
This link might work, maybe not:
-
Call the web service with Digest authentication
Hello
I JDevelper 12.2.4, I need build the java class to call the web service with Digest authentication.
Any suggestion?
Refer to:
-
Basic authentication with the RESTful WEb service and a Web Service reference
Hi all
We have made significant progress on getting an application to work with RESTful web services, but are now trying to understand how to lock a RESTful Web service while making it available for a particular application.
We use one of the 'emp' table sample web services come with Apex 4.2 and are trying to apply the Basic Auth to the WEb Service using Weblogic filter defined in the web.xml file. Which works very well. I now get challenged when I try to go to:
https://wlogic.edu/Apex/BNR/ACE/HR/empinfo/
And when I authenticate this challenge, I am able to get the data. (we are usiing the Weblogic-level LDAP authentication)
However, I'm not sure how to get even basic authentication to work with Web Service reference in my application. I see the error message in the application when I try to call this Web Service:
401 Unauthorized <
And I see:
"The request requires user authentication. It MUST contain a header field WWW-Authenticate (section 14.46) containing a fault that is applicable to the requested resource. The client MAY repeat the request with a suitable authorization (section 14.8) header field. If the request already includes identification of the authorization information»
How can I provide the credentials in the Web reference or provide credentials in the Application?
Web service works fine if I remove the auth basic RESTful web service in the Web.xml file.
We should NOT use basic auth and auth Weblogic web service definition basic RESTful Workspace use instead. If so, how would we implement THIS basic authentication in the definition of Web Service and the Web SErvice reference on the application?
Thank you
PatHello Scott,
Thank you. There is a function for rest in the package:
function make_rest_request( -- -- This function invokes a RESTful Web service with the supplied name value pairs, body clob, or body blob -- the response as an clob. -- -- Arguments: -- p_url The url endpoint of the Web service -- p_http_method The HTTP Method to use, PUT, POST, GET, HEAD or DELETE -- p_username The username if basic authentication is required for this service -- p_password The password if basic authentication is required for this service -- p_proxy_override The proxy to use for the request -- p_body The HTTP payload to be sent as clob -- p_body_blob The HTTP payload to be sent as binary blob (ex., posting a file) -- p_parm_name The name of the parameters to be used in name/value pairs -- p_parm_value The value of the paramters to be used in name/value pairs -- p_wallet_path The filesystem path to a wallet if request is https -- ex., file:/usr/home/oracle/WALLETS -- p_wallet_pwd The password to access the wallet -- p_url in varchar2, p_http_method in varchar2, p_username in varchar2 default null, p_password in varchar2 default null, p_proxy_override in varchar2 default null, p_transfer_timeout in number default 180, p_body in clob default empty_clob(), p_body_blob in blob default empty_blob(), p_parm_name in wwv_flow_global.vc_arr2 default empty_vc_arr, p_parm_value in wwv_flow_global.vc_arr2 default empty_vc_arr, p_wallet_path in varchar2 default null, p_wallet_pwd in varchar2 default null ) return clob;My point was that using the API makes things easier if you have to look for a solution.
Denes Kubicek
-------------------------------------------------------------------
http://deneskubicek.blogspot.com/
http://www.Apress.com/9781430235125
http://Apex.Oracle.com/pls/Apex/f?p=31517:1
http://www.Amazon.de/Oracle-Apex-XE-Praxis/DP/3826655494
------------------------------------------------------------------- -
Cisco ISE 1.3 - Mab authentication with a vlan for each foor
Hello
A client wants to implement authentication MAB with a vlan for each floor. I found a solution of Loïc
I have set up the following:
-the profile of different authentication with a vlan different.
-Add the endpoint (printer etc) endpoint identity.
-create endpoint group identity that end point of recall.
-create a rule to authorizzation reminding all work and element... in the end.
Do you know if there is a faster way where another way to solve the problem?
Thank you all
Well, mab in some environments, could be replaced by profiling and for rules, rather af with a rule authz for each floor, you can name your VLAN in your eponymous switches to "Printers", in the world, then you would only need an authz rule, where you use the name of the vlan instead of identification number, so no matter where this printer , it will end in the vlan 'Printer', whatever it is in this specific switch.
-
Remote access VPN integration with RSA token
Hello friends,
I currently have an ASA 5520 9.0 focusing distance french authenticated VPN access a Radius of the ACS server. I also have a server ACS Ganymede + allowing to authenticate access to network devices (routers, switches, etc.). My Manager asked me to include a second level of authentication through RSA token´s. Question´s:
How does it work?
Can I use my ACS Ganymede + as a method of redundancy for authentication of the VPN´s in the case where my Radius server goes down?
I can use my ACS server RADIUS as a method for redundancy for managing my network devices in the case of authentication my Ganymede + server goes down?
In addition, the RSA token can be used to authenticate access to manage network devices?
Any comments will be appreciated.
Kind regards!
RSA has built in the radius server and itself it can serve as a factor of two.
using Token RSA server inside itself is two factor when you use a PIN and access code.
Using of Ganymede + for VPN is not possible.
Check with your administrator RSA for the integration steps.
Is that you can directly integrate the ASA with RSA and integrate with RSA ACS as well.
This way you have redundancy in the RSA server.
http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...
http://www.Cisco.com/c/en/us/support/docs/security-VPN/SecureID-SDI/1163...
Rate if useful :)
Knowledge sharing makes you immortal.
Kind regards
Ed
-
Web authentication Catalyst 2960
Hello
I am trying to configure Web authentication relief on a catalyst 2960 switch. The goal is to authenticate customers via web authentication that are consistent (the part of 802. 1 x works fine) not 802. 1 x and allow them access to the network. The problem is that the web authentication seems to fail.
The equipment about my question: switch catalyst 2960 (version: 122 - 37.SE) and a FreeRadius.
Here's what happens:
The authentication window will appear in my browser and the access request is sent to the RADIUS.
The term RADIUS replies with an Access-Accept. Debugging running on the switch show that all this information is coming properly authentication and switch outputs debug a 'status = PASS' and permission to debug outputs a 'status = PASS_ADD'. Despite this the browser on the client generates a message "authentication failure".
I have read the manual and the Cisco attribute value pairs are mentioned: ' priv-lvl = 15' and «proxyacl...»» ». They are required to make it work? Given that I'm not setting up any authentication switch connection via RADIUS.
Any suggestions?
Thanks in advance
Yes, they are mandatory.
If priv-lvl = 15 is not returned to the switch, the user will see? Authentication failed? and the access list will not apply. If the source in the statements of proxyacl field is not? everything? or there are other errors of syntax, the user will see? Successful authentication? but the access list will not apply and the user will be denied access to the network.
Not sure about the configuration of specific FreeRADIUS, but you need to set up the? [026\009\001] Cisco av pair VSA. It should look like:
Priv-lvl = 15
proxyacl #10 = ip permit a whole
Let me know if this lets you squared
-
How to generate CSR on switches for web auth with NGS
Hello
I do solution dot1x with web auth on switches cisco 3750.
Once the wired customer put in the web authentication status (after dot1x and mab) and goes to a website, he receives a certificate warning. This is because as the switch cisco selfsigned certificate.
I want to use a verisign certificate to resolve this error, but I can't find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but it is also not a solution, because the customers with the help of web authentication, won't the internal certification authority.
Is it possible to fix this?
Greetings
Steven
Hi Steven,
The document below is really for IOS SSLVPN, but the part of the certificate must be the same:
Search for the 'Annex B' and it goes into the creation of a trustpoint and then a section for the self-signed and another is to generate a certificate request to send to an external certification authority.
Once created a trustpoint command to actually generate the CSR is "crypto PKI enroll."
This document goes into a bit more details on orders of the person and what they do:
Also, you can use something external to the switch as OpenSSL to generate the CSR and private key and then use it to request a certificate from your Verisign CA and then import the cert/key pair in the IOS device.
Thank you
Nate
-
I want to configure a switch for IEEE 802 authentication port. 1 x with web authentication as a means of rescue.
Can anyone provide an example of a valid configuration?
Only web authentication does not work!
Switch #sh run
Building configuration...
Current configuration: 3012 bytes
!
version 12.2
no service button
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
Switch host name
!
!
AAA new-model
Group AAA authentication login default RADIUS
connection of line-con AAA authentication, no
Group AAA dot1x default authentication RADIUS
Group AAA authorization auth-proxy default RADIUS
!
AAA - the id of the joint session
switch 1 supply ws-c3750 - 48P
mtu 1500 routing system
IP subnet zero
IP - cisco.com domain name
property intellectual admission name rule1 http proxy
!
!
!
!
control-dot1x system-auth
!
!
!
!
!
!
Profile relief aid
IP access-group Policy1 in
rule1 admission IP
!
pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
!
!
!
interface FastEthernet1/0/1
switchport access vlan 142
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 142
switchport mode access
dot1x EAP authenticator
self control-port dot1x
relief aid dot1x
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan142
IP 10.1.254.1 255.255.255.0
!
IP classless
!
peche1 extended IP access list
allow udp any any eq bootps
deny ip any any newspaper
!
Server RADIUS attribute 8 include-in-access-req
secret key of acct-port 1645 auth-10.1.254.187 - RADIUS server host port 1646
Server RADIUS ports source-1645-1646
RADIUS vsa server send authentication
!
control plan
!
!
Line con 0
line vty 5 15
!
end
Try adding this:
analysis of IP device
In addition, if you want your users to web-auth to use DNS to resolve URLS, you probably want to add something like this to Policy1:
allow udp any any eq field
Don't forget that you need to wait until the 802. 1 X times out (90 seconds by default) for Web-Auth to kick.
Shelly
-
Web authentication WISN and COMMENTS
I have a WISN and we use open web Cisco
authentication with a user's e-mail address.
When executing this CLI command:
> config network secureweb disable
> save config
> the system
This will make the web authentication come HTTP instead of HTTPS?
This command is for managing the unit.
However it used to be a workaround when you disable HTTPS and SSH and you restart the WLC web authentication will be displayed as http and not https.
Let me know if it works for you
Maybe you are looking for
-
Hello, I'm in the United States, and one people of Spain want to send me a gift of $ 20, 1 - can it do? 2 and if they do, how can I get? Note: I identifying apple US and I can connect to itunes, but I don't have my password by email! I lost it and I
-
I am running windows 10, iTunes on a laptop Dell Inspiron 12.4.3. My problem is with one of my devices with iTunes sync. The Ipod is running IOS 6.1.6 When I check manually manage music & checked synch only of songs, it synchronizes only the recently
-
Only occurs with the e-mail program
-
Can I sync my calendar with my wife without a credit card
Can I sync my calendar from the iPad with my wife without a credit card
-
Hello There is an illustration in attachment to what I'm talking about I have a config.ini file I can retrieve information from devices (COM, baud...) and the file names of the devices that are used to perform this test (calibration of the temperatur