Cisco ACS 4.2 and RSA authentication Manager Integration Guide

 

 

Table of Contents



1.1.       Introduction
1.2.       RSA secure id server configuration
1.3.       Prerequisites:
1.4.       RSA server Ip addressing
1.5.       Agent Host Configuration
1.6.       RSA user creation
1.7.       Cisco ACS side configuration
1.8.       Prerequisites:
1.9.       Cisco ACS server Creating a new external Database
1.10.     Network group mapping
1.11.     Cisco ACS server Sdconf.rec import
1.12.     Unknown user policy External database Mapping RSA
1.13.     Cisco ACS user account creation Mapped by External Authenticator

Introduction


 

This document describes Cisco ACS 1113 Appliance and RSA Secure ID Authentication manager dual factor authentication integration procedure.

RSA secure id server configuration


 

Prerequisites:


 

Windows 2000 service pack 4 or Windows 2003 service pack 3 server
RSA server version 6.1 or higher with all the relevant patches loaded.
Ip addressing must be able to reach the ACS server without any firewall in between to establish the shared secret.

RSA server Ip addressing  


 

That can be anything falling in line with your local network address range assignment. Typically you would want to secure the RSA server in a DMZ or secure network segment
192.168.1.10
255.255.255.0
Gateway 192.168.1.1

Agent Host Configuration


 

To facilitate communication between the Cisco Secure ACS and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Cisco Secure ACS within its database and contains information about communication and encryption.
To create the Agent Host record, you will need the following information.
• Hostname
• IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the Cisco Secure ACS as Net OS. This setting is used by the RSA Authentication Manager to determine how communication with the Cisco Secure ACS will occur.
Hosts only become functional when a proper node secret is exchanged between the server and the host. Before that the node secret tick box is greyed out.

 

cisco acs and rsa integration

The bellow screen shows that auto agent registration is configured for host discovery

 

cisco acs and rsa integration

 

RSA user creation


 

The bellow screen shows a typical RSA created user with an assigned token to the server database. It’s important to note that these users need to be created on the ACS server as well if you have more than one group of users that need to access different resources .As of version 3.x and 4.x the ACS server mapping for RSA server only allows for a single ACS group to be mapped to a single RSA server instance.

cisco acs and rsa integration

Remember you need to configure all the hosts that are agents or servers including the RSA server itself as hosts in the windows host file in order for everything to work properly.

 

Cisco ACS side configuration


 

The bellow section describes the ACS server side configuration

Prerequisites:


 

ACS 1113 SE appliance running version 4.0 or higher

 

Cisco ACS network group to RSA database mapping

 

Cisco ACS server Creating a new external Database


 

The bellow screen explains the configuration sequence between the RSA server and the ACS server in order for them to operate in tandem to perform the dual factor authentication and its specific configuration mapping .The shared secret file sdconf.rec is created on the RSA server
cisco acs and rsa integration
cisco acs and rsa integration

 

Network group mapping


 

The bellow screen indicates the default network group that the RSA server database is mapped to on the ACS server

cisco acs and rsa integration

 

Cisco ACS server Sdconf.rec import


 

Creating that sdconf.rec file is done on the RSA server and stored on an ftp server for upload to the ACS server. See the bellow section that describes creating a host record file on the RSA server for more detail in order to proceed with this section

cisco acs and rsa integration

 

 

Unknown user policy External database Mapping RSA


 

The bellow screen deals with request not local to the ACS database. It means that when the username is not specifically configured on the ACS then the device checks the RSA server for external user authentication database.

cisco acs and rsa integration

 

Cisco ACS user account creation Mapped by External Authenticator


 

The Bellow screen describes a typical user account belonging to the RSA database. Note that only the username has to exist in the ACS database but the password resides to the RSA server where dual factor authentication is enforced

cisco acs and rsa integration

 

Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !